Bug#652587: marked as done (libhtml-template-pro-perl: missing escaping allows XSS)

Debian Bug Tracking System Sun, 18 Dec 2011 14:36:44 -0800

Your message dated Sun, 18 Dec 2011 22:33:51 +0000
with message-id <[email protected]>
and subject line Bug#652587: fixed in libhtml-template-pro-perl 0.9507-1
has caused the Debian Bug report #652587,
regarding libhtml-template-pro-perl: missing escaping allows XSS
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
652587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652587
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libhtml-template-pro-perl
Version: 0.9502-1
Severity: important
Tags: security

The JS escaping in libhtml-template-pro-perl misses to escape "<" and
">" which allows XSS.  This was fixed in the last upstream release (0.9507).

An example script that triggers the bug is attached.  With 0.9507 it
outputs

  &lt;evil&gt;

older versions generate

  <evil>

instead.

Ansgar

--- End Message ---

--- Begin Message ---

Source: libhtml-template-pro-perl
Source-Version: 0.9507-1

We believe that the bug you reported is fixed in the latest version of
libhtml-template-pro-perl, which is due to be installed in the Debian FTP 
archive:

libhtml-template-pro-perl_0.9507-1.debian.tar.gz
  to 
main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507-1.debian.tar.gz
libhtml-template-pro-perl_0.9507-1.dsc
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507-1.dsc
libhtml-template-pro-perl_0.9507-1_amd64.deb
  to 
main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507-1_amd64.deb
libhtml-template-pro-perl_0.9507.orig.tar.gz
  to 
main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ansgar Burchardt <[email protected]> (supplier of updated 
libhtml-template-pro-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2011 23:04:24 +0100
Source: libhtml-template-pro-perl
Binary: libhtml-template-pro-perl
Architecture: amd64 source
Version: 0.9507-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Ansgar Burchardt <[email protected]>
Closes: 652587
Description: 
 libhtml-template-pro-perl - Perl module to use HTML Templates from CGI scripts
Changes: 
 libhtml-template-pro-perl (0.9507-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
   * Upload with medium urgency as this fixes a XSS vulnerability.
     (Closes: #652587)
Checksums-Sha1: 
 764576c079b1e8aa7418cf3927561a25d94eeddc 2410 
libhtml-template-pro-perl_0.9507-1.dsc
 05c91a35b7a02b9863587db023fe22606b01c8d5 170813 
libhtml-template-pro-perl_0.9507.orig.tar.gz
 a83d72df014f1c952718c26cce6730cc4a7e1127 4727 
libhtml-template-pro-perl_0.9507-1.debian.tar.gz
 2a9645c100ee6421699d9504c12b5b090afe0636 110860 
libhtml-template-pro-perl_0.9507-1_amd64.deb
Checksums-Sha256: 
 b3a7cc08d7ec24889cac6086f9ce9a0c72be41ad3bf80418eac2e08315e29e7d 2410 
libhtml-template-pro-perl_0.9507-1.dsc
 dc1feb55e85014560e36956acc800aaaa323022570a62828ba6fa7312bd8f463 170813 
libhtml-template-pro-perl_0.9507.orig.tar.gz
 461b44d68c15596b8f6601c9520a24d5c87142f76ecc0b1088be509c9b9de96c 4727 
libhtml-template-pro-perl_0.9507-1.debian.tar.gz
 febcb98d5f35868c37abcc7708d221f5c7283c342ef90e0c41b88d8e53dc80d3 110860 
libhtml-template-pro-perl_0.9507-1_amd64.deb
Files: 
 b03cbf498d69ff821e2d84b54ce181e6 2410 perl optional 
libhtml-template-pro-perl_0.9507-1.dsc
 e7d80dd88844b3f58054291c58580b5d 170813 perl optional 
libhtml-template-pro-perl_0.9507.orig.tar.gz
 7595e059d6764aecaf749f91dbe5fafd 4727 perl optional 
libhtml-template-pro-perl_0.9507-1.debian.tar.gz
 eefb0e11eaedfedf34d1512072e1d233 110860 perl optional 
libhtml-template-pro-perl_0.9507-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJO7mjYAAoJEIATJTTdNH3IpZ0QALr3i1OJ7akeruWyjA0Qj4kT
qG7iSCRWQuwGp44HCOGBKm+WhuwM7My/fvzG2ClWXQX7yOR87i1zm3dtL6kufkSc
DKorFuLCIwoWSHEPWBhYCmvqef5dLGVVcvruvTtj4myJ54E/wHG/IGdgD7Sp7ZgR
oGjWS/4ZB7okTOJaE2hzihy1lRoUz55FD06kZPZPfnH4/Kq3O3GhQFF/hpzaAMrJ
7x1OV121Yj+aK5Z7bWo6D3CCA8EyjxejAK3fploChCbzcHDB66dIe/0lVGLHZtkz
QfdGKfDyBJJAasJF/tRcS9Asllu+Su+XsxC3IcofTpzXRQrBe8BCzf6isltwd6VW
sw23AMFgZ54pVnkSws27SZ+QjTDMocaoI0c5QWkaGZXHRcuwjgyiihgzr5Sc8QRK
1kyt5eDF70M2+Pvp7vHUOyvQiOZtSht6U9jPFOVX51IckE7kl88Xkdew0jBdWVPm
ceSNq9QKI9JCL82rKGmORY5Rtmfa7oAthivjaZAF0IlyZK40tu3fKN/0o92DslRe
i6VXeyPeoso6a5CoD9c3/c64CEAFXIQYIsqFGvYKp+XEvG8CSYv4x/e+AdYG5glm
Fibp1B/PeCyD9LSqGFcqFpqDHH1XAm11niPKbYa9xL3YkhDS3IFoeZHHSdSxyicg
C2nXIOXtwdAGr5QdMdQt
=Rwgx
-----END PGP SIGNATURE-----

--- End Message ---

Bug#652587: marked as done (libhtml-template-pro-perl: missing escaping allows XSS)

Reply via email to