Package: zonecheck Version: 2.0.4-13 Severity: grave Tags: security Justification: user security hole
There is XSS security bug in Zonecheck cgi up to version 2.1.0. Fixed upstream in 2.1.1. The patch is simple and can probably be backported: http://cvs.savannah.gnu.org/viewvc/zonecheck/zc/publisher/html.rb?root=zonecheck&r1=1.79&r2=1.80 The bug has already been exploited in the wild: http://www.xssed.com/mirror/61096/ The upstream bug report: https://savannah.nongnu.org/bugs/?29967 -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=fr_FR (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages zonecheck depends on: ii iputils-ping 3:20071127-1 Tools to test the reachability of ii ruby 4.2 An interpreter of object-oriented zonecheck recommends no packages. zonecheck suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org