Your message dated Wed, 16 Dec 2009 23:52:30 +0000
with message-id <[email protected]>
and subject line Bug#536051: fixed in fckeditor 1:2.6.2-1lenny1
has caused the Debian Bug report #536051,
regarding CVE-2009-2265, CVE-2009-2324: input sanitization errors
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
536051: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536051
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fckeditor
Version: 1:2.6.2-1
Severity: grave
Tags: security lenny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for fckeditor.
CVE-2009-2265[0]:
| Multiple directory traversal vulnerabilities in FCKeditor before
| 2.6.4.1 allow remote attackers to create executable files in arbitrary
| directories via directory traversal sequences in the input to
| unspecified connector modules, as exploited in the wild for remote
| code execution in July 2009, related to the file browser and the
| editor/filemanager/connectors/ directory.
CVE-2009-2324[1]:
| Multiple cross-site scripting (XSS) vulnerabilities in FCKeditor
| before 2.6.4.1 allow remote attackers to inject arbitrary web script
| or HTML via components in the samples (aka _samples) directory.
These are already fixed in debian unstable.
Please coordinate with the security team ([email protected]) to
prepare packages for the stable releases.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
http://security-tracker.debian.net/tracker/CVE-2009-2265
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2324
http://security-tracker.debian.net/tracker/CVE-2009-2324
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpS7BoACgkQNxpp46476aqLkgCfbfTGN8TqPG10C+EBvYMm82zJ
9ngAnRpSHHzwAfY1Usb0My2SzkvwunSF
=tCPb
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: fckeditor
Source-Version: 1:2.6.2-1lenny1
We believe that the bug you reported is fixed in the latest version of
fckeditor, which is due to be installed in the Debian FTP archive:
fckeditor_2.6.2-1lenny1.diff.gz
to main/f/fckeditor/fckeditor_2.6.2-1lenny1.diff.gz
fckeditor_2.6.2-1lenny1.dsc
to main/f/fckeditor/fckeditor_2.6.2-1lenny1.dsc
fckeditor_2.6.2-1lenny1_all.deb
to main/f/fckeditor/fckeditor_2.6.2-1lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frank Habermann <[email protected]> (supplier of updated fckeditor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 07 Jul 2009 00:32:00 +0200
Source: fckeditor
Binary: fckeditor
Architecture: source all
Version: 1:2.6.2-1lenny1
Distribution: stable-security
Urgency: high
Maintainer: Frank Habermann <[email protected]>
Changed-By: Frank Habermann <[email protected]>
Description:
fckeditor - rich text format javascript web editor
Closes: 536051
Changes:
fckeditor (1:2.6.2-1lenny1) stable-security; urgency=high
.
* Backporting fix from version 2.6.2.1 for remote file upload
vulnerability [CVE 2009-2265] (Closes: #536051)
Checksums-Sha1:
b4f01576f28dd19ff9a0527ac08a3541073b6e2a 1028 fckeditor_2.6.2-1lenny1.dsc
a0bbab9447d37e0cc6b7c73df5304453e96a7811 934845 fckeditor_2.6.2.orig.tar.gz
43397a5e97d81f430977f7c571f8a469e587dbd1 25408 fckeditor_2.6.2-1lenny1.diff.gz
a9e324f9af2365797c7e2a26bd1c170cb9218eb5 945672 fckeditor_2.6.2-1lenny1_all.deb
Checksums-Sha256:
69d97ce269ca0a0b62fe02e837829a91a9996aaf2af14b045d809b6a5b19d592 1028
fckeditor_2.6.2-1lenny1.dsc
d2a97e311f862e78b57b2c89f374a3adc58de5e2e6659ba1c0d02715a1e111f2 934845
fckeditor_2.6.2.orig.tar.gz
91ede558728226b3bf213415892028be223f75f7eccf6809682631a80f0ea323 25408
fckeditor_2.6.2-1lenny1.diff.gz
0553a1c704469a4e35acebd4fa64368a2e96a0ea151c226787d4f8be165ba6a5 945672
fckeditor_2.6.2-1lenny1_all.deb
Files:
489da6d230d86e6347c2f5839ffd0af3 1028 web optional fckeditor_2.6.2-1lenny1.dsc
8b58da54703e47622e07b8fdc9f5f93d 934845 web optional
fckeditor_2.6.2.orig.tar.gz
2e10c633f28bdffa1afda0918783ac9e 25408 web optional
fckeditor_2.6.2-1lenny1.diff.gz
5a0d59f390945ab2df02c43be8e81a5c 945672 web optional
fckeditor_2.6.2-1lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpe5HQACgkQ+C5cwEsrK54L8gCfWTfN/Uhm+QysYlmbjBRQXHF3
QkoAoOIkCOJxjvfzMwMU2UZejLJjrEJl
=sE5y
-----END PGP SIGNATURE-----
--- End Message ---
