Bug#536051: marked as done (CVE-2009-2265, CVE-2009-2324: input sanitization errors)

Sun, 19 Jul 2009 14:59:10 -0700 

Your message dated Sun, 19 Jul 2009 23:51:47 +0200
with message-id <200907192351.47503.lordla...@lordlamer.de>
and subject line 
has caused the Debian Bug report #536051,
regarding CVE-2009-2265, CVE-2009-2324: input sanitization errors
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
536051: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536051
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: fckeditor
Version: 1:2.6.2-1
Severity: grave
Tags: security lenny

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for fckeditor.

CVE-2009-2265[0]:
| Multiple directory traversal vulnerabilities in FCKeditor before
| 2.6.4.1 allow remote attackers to create executable files in arbitrary
| directories via directory traversal sequences in the input to
| unspecified connector modules, as exploited in the wild for remote
| code execution in July 2009, related to the file browser and the
| editor/filemanager/connectors/ directory.

CVE-2009-2324[1]:
| Multiple cross-site scripting (XSS) vulnerabilities in FCKeditor
| before 2.6.4.1 allow remote attackers to inject arbitrary web script
| or HTML via components in the samples (aka _samples) directory.


These are already fixed in debian unstable.
Please coordinate with the security team (t...@security.debian.org) to
prepare packages for the stable releases.


If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
    http://security-tracker.debian.net/tracker/CVE-2009-2265
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2324
    http://security-tracker.debian.net/tracker/CVE-2009-2324

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpS7BoACgkQNxpp46476aqLkgCfbfTGN8TqPG10C+EBvYMm82zJ
9ngAnRpSHHzwAfY1Usb0My2SzkvwunSF
=tCPb
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Version: 1:2.6.2-1lenny1

--- End Message ---

Reply via email to