Your message dated Wed, 17 Jun 2009 17:27:12 -0300
with message-id <[email protected]>
and subject line Does not affect lenny, indeed
has caused the Debian Bug report #516555,
regarding CVE-2008-6059: missing access restriction
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
516555: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516555
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: webkit
Severity: important
Tags: security
Hi Mike,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.
CVE-2008-6059[0]:
| xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not
| properly restrict access from web pages to the (1) Set-Cookie and (2)
| Set-Cookie2 HTTP response headers, which allows remote attackers to
| obtain sensitive information from cookies via XMLHttpRequest calls,
| related to the HTTPOnly protection mechanism.
I am not quite sure that I understood the issue correctly, so I used
important as the severity. Maybe you could investigate the severity and
state your opinion?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6059
http://security-tracker.debian.net/tracker/CVE-2008-6059
--- End Message ---
--- Begin Message ---
As has already been stated, WebKit did not support cookies at all, at
the time. Sorry it took a long time to actually answer =(.
--
Gustavo Noronha <[email protected]>
Debian Project
--- End Message ---