The Cosign Development Team has released cosign 2.1.1. Cosign 2.1.1 is a security update, addressing a potential cross-site scripting vulnerability in the cosign.cgi. The cosign filters are unaffected by the vulnerability, and are unchanged from cosign 2.1.0.
Details of the vulnerability can be found at: http://weblogin.org/cosign-vuln-2009-001.txt Organizations maintaining cosign weblogin servers are encouraged to update to cosign 2.1.1 immediately, or backport the patch included at the end of this message. * Download * <http://prdownloads.sourceforge.net/cosign/cosign-2.1.1.tar.gz?download> RIPEMD160(cosign-2.1.1.tar.gz)= 30750612d6c26852d54508dd00954beb12e59967 SHA1(cosign-2.1.1.tar.gz)= 7e1ea06a03affb222958f08f16d9f86ef17021e2 MD5(cosign-2.1.1.tar.gz)= 0e2bab0cace22daabfa9709c68837186 * Changes from 2.1.0 * cgi: escape login name (xss) * More Info * http://sourceforge.net/projects/cosign/ http://weblogin.org/ Please continue to report bugs, submit patches and request features on the SF.net tracker. Thanks for your support of Cosign. andrew -- Index: cgi/cgi.c =================================================================== RCS file: /cvsroot/cosign/cosign/cgi/cgi.c,v retrieving revision 1.144 diff -u -r1.144 cgi.c --- cgi/cgi.c 16 Jan 2009 21:06:47 -0000 1.144 +++ cgi/cgi.c 31 Mar 2009 21:11:17 -0000 @@ -73,7 +73,7 @@ static struct subfile_list sl[] = { #define SL_LOGIN 0 - { 'l', SUBF_STR, NULL }, + { 'l', SUBF_STR_ESC, NULL }, #define SL_TITLE 1 { 't', SUBF_STR, NULL }, #define SL_REF 2 ------------------------------------------------------------------------------ _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
