Your message dated Mon, 26 Mar 2007 20:47:44 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#416195: fixed in lwat 0.13-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: lwat Version: 0.13-1 Severity: grave Tags: security I tested today lwat if there is it is vulnerable for malicious html code if this values are already inside the ldap database. I used ldif to add something like this as the cn: cn: </a><a href="javascript:;" onclick="window.alert('Thanks for this hack');" >Test User</a><a> The result was that if I search for Test user and click on it I got a popup with 'Thanks for this hack' in it. This issue is similiar to: #415379 I will attach a fix soon, and will upload it then, since I'm the maintainer of this package ;-) Greetings Patrick -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages lwat depends on: ii apache2-mpm-prefork [apache2] 2.2.3-3.3 Traditional model for Apache HTTPD ii debconf [debconf-2.0] 1.5.13 Debian configuration management sy ii libapache2-mod-php5 5.2.0-10 server-side, HTML-embedded scripti ii php5 5.2.0-10 server-side, HTML-embedded scripti ii php5-ldap 5.2.0-10 LDAP module for php5 ii smarty-gettext 1.0b1-2 provides gettext support for smart lwat recommends no packages. -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: lwat Source-Version: 0.13-2 We believe that the bug you reported is fixed in the latest version of lwat, which is due to be installed in the Debian FTP archive: lwat_0.13-2.diff.gz to pool/main/l/lwat/lwat_0.13-2.diff.gz lwat_0.13-2.dsc to pool/main/l/lwat/lwat_0.13-2.dsc lwat_0.13-2_all.deb to pool/main/l/lwat/lwat_0.13-2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Winnertz <[EMAIL PROTECTED]> (supplier of updated lwat package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 25 Mar 2007 22:40:37 +0200 Source: lwat Binary: lwat Architecture: source all Version: 0.13-2 Distribution: unstable Urgency: high Maintainer: Patrick Winnertz <[EMAIL PROTECTED]> Changed-By: Patrick Winnertz <[EMAIL PROTECTED]> Description: lwat - LDAP Web-based Administration Tool Closes: 416195 Changes: lwat (0.13-2) unstable; urgency=high . * Added patch to escape data fetched from the ldap databse to avoid executing malicious codeblocks found in ldap. (Closes: #416195) * Set urgency to high since this is a security fix. * Modified rules to run dpatch in build and clean target. * Added build-dep on dpatch. * The german and norwegian translations of lwat have been updated. * Upload sponsored by Petter Reinholdtsen. Files: 7c7fd70980b5fc1ca3e45528f8c8a4e1 638 misc optional lwat_0.13-2.dsc f3bd5896ead542bc5bb56f6f11ad61ac 13122 misc optional lwat_0.13-2.diff.gz b65cf0f86d371de8a07a5a8845bc1b61 51284 misc optional lwat_0.13-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGCCfy20zMSyow1ykRAlDMAJ9Ncz6+pkSAgknRWEoTehSVXom1QACfQazP aATceXY3R3xo1XjYeG0hQl8= =TRA4 -----END PGP SIGNATURE-----
--- End Message ---
