Your message dated Mon, 6 Feb 2023 22:27:44 +0100
with message-id <[email protected]>
and subject line Re: Accepted fava 1.23.1-1 (source) into unstable
has caused the Debian Bug report #1016971,
regarding fava: CVE-2022-2514 CVE-2022-2523 CVE-2022-2589
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1016971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fava
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for fava.

CVE-2022-2514[0]:
| The time and filter parameters in Fava prior to v1.22 are vulnerable
| to reflected XSS due to the lack of escaping of error messages which
| contained the parameters in verbatim.

https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
 (v1.22)

CVE-2022-2523[1]:
| Cross-site Scripting (XSS) - Reflected in GitHub repository
| beancount/fava prior to 1.22.2.

https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b
 (v1.22.2)

CVE-2022-2589[2]:
| Cross-site Scripting (XSS) - Reflected in GitHub repository
| beancount/fava prior to 1.22.3.

https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/
https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539
 (v1.22.3)


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-2514
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2514
[1] https://security-tracker.debian.org/tracker/CVE-2022-2523
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2523
[2] https://security-tracker.debian.org/tracker/CVE-2022-2589
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2589

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: fava
Source-Version: 1.23.1-1

On Mon, Feb 06, 2023 at 01:04:03AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 05 Feb 2023 16:10:51 +0000
> Source: fava
> Architecture: source
> Version: 1.23.1-1
> Distribution: unstable
> Urgency: high
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Blair Noctis <[email protected]>
> Changes:
>  fava (1.23.1-1) unstable; urgency=high
>  .
>    * Team upload.
>    * New upstream version 1.23.1 (CVE-2022-2514 CVE-2022-2523 CVE-2022-2589)
>    * Build with pybuild pyproject plugin as upstream moved to pyproject.toml
>    * Update lintian overrides
>    * Remove copyright notice and lintian override of removed
>      src/fava/static/app.js
>    * Refresh patches
> Checksums-Sha1:
>  6bcb056ffa2c70ef4e1062a527a9007cfb2b0b94 2089 fava_1.23.1-1.dsc
>  5fcce91fc3c188a9aa8931d382f786b69865f2c3 499234 fava_1.23.1.orig.tar.gz
>  260ee7da1ad55eae85a487d906236d7c29dcd1e3 4868 fava_1.23.1-1.debian.tar.xz
>  6249b2f5ee15feb85ccca5630c297ded25313a42 6708 fava_1.23.1-1_source.buildinfo
> Checksums-Sha256:
>  803b0afe9deaf61acafd9c019f5d05838cffdff63bed579a40b24f0bfae4efe3 2089 
> fava_1.23.1-1.dsc
>  f01cf9f2291b66d6e836a6c337cd7638288162978eb4d68ce7902db0a2c9db85 499234 
> fava_1.23.1.orig.tar.gz
>  f98e71759aa9681d61d5d28e1c875308fb61cca2fc41fa303a649bc36c30b0d9 4868 
> fava_1.23.1-1.debian.tar.xz
>  a1cec42f3b4c3991085630966d5af01a55d61f002ba32fa3c12b399ef10c6bbd 6708 
> fava_1.23.1-1_source.buildinfo
> Files:
>  c5b99d6682f1b607e146d0a22de68858 2089 python optional fava_1.23.1-1.dsc
>  8ac8167ad5e5ad2c748d7780b39efc8e 499234 python optional 
> fava_1.23.1.orig.tar.gz
>  37b62c0f68859df0278b2b0ae8290c35 4868 python optional 
> fava_1.23.1-1.debian.tar.xz
>  e9ef373c792ebf78c18bd834bf1d3be0 6708 python optional 
> fava_1.23.1-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmPgT6sQHGJhZ2VAZGVi
> aWFuLm9yZwAKCRAfXHqLRVZDFCllC/0RsgWCAJgrL7lNVQ/BDHJXeTo2/65xbyrm
> NGqhZDa8cZQfZXqrBmqioNIap+pcu6f8xqpIJBB4CdpZdJ5G4TPIXCkYBXuk0rE2
> 3kSd+m0JN8VgL7jbDo1G/DnX7ecsq8+1fDjlMcrdCymJR5XUMpsPtWLu2ctFh5k1
> xhPuYikhl/7wgtlYtypE0mLowxWXR3VxnnYweaaqK0u+6Mo/gV1JUpJpi3bwHRRE
> uAyPC7KZMEUK/V+xDY0lnrpGJaPVGFp0zedljDohjCtTPOM43NCLDryBAuBlFQt1
> 95IRUVuvpla6hYONXPP505gFA6WjFxZTgzErK9f6+0LqXackUN+O2rEDbHpVDtFx
> opk6Ar/kExazNVjQmWo5OXTbSDDLEcaGpAXoradnqaT8h8P4YUaP95A+pd56rmFt
> 0ePG2uVHIl7EftpzQF0R1/VUnAxZotsYKEPri0gdYwXm+Rhqs9NPzQ8fneypU8aR
> oHeRH2Pb0cgPfBsXuJE9J5YWU3T1krU=
> =gon/
> -----END PGP SIGNATURE-----
> 

--- End Message ---

Reply via email to