Your message dated Tue, 13 Jun 2006 11:02:04 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#370576: fixed in acidbase 1.2.5-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: acidbase
Severity: grave
Tags: security
Justification: user security hole
http://www.frsirt.com/english/advisories/2006/1996
Advisory ID : FrSIRT/ADV-2006-1996
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-05-26
Technical Description
Multiple vulnerabilities have been identified in Basic Analysis and Security
Engine (BASE), which could be exploited by attackers to execute arbitrary
commands. These flaws are due to input validation errors in the
"base_qry_common.php", "base_stat_common.php", and
"includes/base_include.inc.php" scripts that do not validate the "BASE_path"
parameter, which could be exploited by remote attackers to include malicious
scripts and execute arbitrary commands with the privileges of the web server.
Affected Products
Basic Analysis and Security Engine (BASE) 1.2.4 and prior
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- End Message ---
--- Begin Message ---
Source: acidbase
Source-Version: 1.2.5-1
We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:
acidbase_1.2.5-1.diff.gz
to pool/main/a/acidbase/acidbase_1.2.5-1.diff.gz
acidbase_1.2.5-1.dsc
to pool/main/a/acidbase/acidbase_1.2.5-1.dsc
acidbase_1.2.5-1_all.deb
to pool/main/a/acidbase/acidbase_1.2.5-1_all.deb
acidbase_1.2.5.orig.tar.gz
to pool/main/a/acidbase/acidbase_1.2.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Gil <[EMAIL PROTECTED]> (supplier of updated acidbase package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Jun 2006 21:20:37 +0200
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.5-1
Distribution: unstable
Urgency: high
Maintainer: David Gil <[EMAIL PROTECTED]>
Changed-By: David Gil <[EMAIL PROTECTED]>
Description:
acidbase - Basic Analysis and Security Engine
Closes: 363548 370576
Changes:
acidbase (1.2.5-1) unstable; urgency=high
.
* New upstream release, wich includes the following security improvements:
+ Added XSSPrintSafe() (array safe htmlspecilchars() function) and made
filterSql() use ADOdb qmagic()
+ Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET
variables using filterSql()
+ Santized all $_SERVER variables to be protected against XSS attacks
These improvements fix the following security bugs:
+ Cross-site scripting (XSS) vulnerability (CVE-2006-1590)
(Closes: #363548).
+ Remote File Inclusion Vulnerabilities (CVE-2006-2685)
(Closes: #370576).
.
* debian/patches/02_update_external_links.dpatch : updated.
.
* Applied part of the patch from Paul Wise <[EMAIL PROTECTED]>:
+ Remove short description from long description
+ Update copyright file with more information
.
* Bump Standards-Version to 3.7.2 (no policy-related changes needed).
.
* Fix an annoying dbconfig-common error: Add dbc_dbtypes variable in
mantainer scripts, not only in config file.
This is related to bug #372948 (dbconfig-common: can not determine the
database type).
.
* Remove ucf file under /etc/acidbase on package purge.
Files:
1627500fb735f4ce19a137031d59c0c3 683 web optional acidbase_1.2.5-1.dsc
cd6a83df67106ebf9a148d5ac1ec9b8c 335819 web optional acidbase_1.2.5.orig.tar.gz
3cc7ab0405eaf4e2539f64a175af64f6 14891 web optional acidbase_1.2.5-1.diff.gz
15ce906b026e9bb7d89a4c9dd600e28d 346322 web optional acidbase_1.2.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEjvmKsandgtyBSwkRAhSVAJ46v7d4R2rcEEMNf+YoI26PdkVpDACfdtKL
d9OHPfMIsMKT1oNU4OeTlf4=
=YUKe
-----END PGP SIGNATURE-----
--- End Message ---
