Bug#502019: marked as done (CVE-2008-4437 - Directory traversal vulnerability in importxml.pl)

Mon, 13 Oct 2008 04:38:51 -0700 

Your message dated Mon, 13 Oct 2008 13:33:34 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: CVE-2008-4437 - Directory traversal vulnerability in 
importxml.pl
has caused the Debian Bug report #502019,
regarding CVE-2008-4437 - Directory traversal vulnerability in importxml.pl
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
502019: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502019
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: bugzilla
Version: 3.0.4.1-2
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu ubuntu-patch intrepid

Directory traversal vulnerability in importxml.pl in
Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
is enabled, allows remote attackers to read arbitrary files via an
XML file with a .. (dot dot) in the data element

Ubuntu Bug - https://bugs.edge.launchpad.net/ubuntu/+source/bugzilla/+bug/280641

Patch supplied is from Upstream.


-- 
Stefan Lesicnik
([EMAIL PROTECTED])

Attachment: debian-patch
Description: Binary data


--- End Message ---
--- Begin Message --- 
Version: 3.0.5.0-1

Hi,
* Stefan Lesicnik <[EMAIL PROTECTED]> [2008-10-12 21:11]:
> Package: bugzilla
> Version: 3.0.4.1-2
> User: [EMAIL PROTECTED]
> Usertags: origin-ubuntu ubuntu-patch intrepid
> 
> Directory traversal vulnerability in importxml.pl in
> Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
> is enabled, allows remote attackers to read arbitrary files via an
> XML file with a .. (dot dot) in the data element
> 
> Ubuntu Bug - 
> https://bugs.edge.launchpad.net/ubuntu/+source/bugzilla/+bug/280641
> 
> Patch supplied is from Upstream.

This bug is already fixed in unstable, please check the 
security tracker next time before filing a security bug:
http://security-tracker.debian.net/tracker/CVE-2008-4437. 
Tagging the bug with security would be also nice.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpQ1ZSKZuOkN.pgp
Description: PGP signature


--- End Message ---

Reply via email to