Bug#887330: marked as done (civicrm: Multiple XSS vulnerabilities were found in CiviCRM <4.7.26)

[Debian Bug Tracking System]

Your message dated Sun, 18 Mar 2018 22:35:12 +0000
with message-id <e1exgtu-00055x...@fasolo.debian.org>
and subject line Bug#887330: fixed in civicrm 4.7.30+dfsg-1
has caused the Debian Bug report #887330,
regarding civicrm: Multiple XSS vulnerabilities were found in CiviCRM <4.7.26
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
887330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887330
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: civicrm
Version: 4.7.24+dfsg-1
Severity: serious
Tags: security
Justification: security issues

(Since CiviCRM isn't in Jessie nor in Stretch I guess the Security Team
can ignore this.)

4.7.26, released on Nov. 1, fixes multiple security issues, with risks
upstream classified up to “critical” for CIVI-SA-2017-1[1-5]:

    CIVI-SA-2017-08 XSS in HTML link attributes
    CIVI-SA-2017-09 Shell injection vulnerability in smarty
    CIVI-SA-2017-10 XSS scripting in premium product name 
    CIVI-SA-2017-11 XSS in dedupe rules 
    CIVI-SA-2017-12 XSS in tag descrption
    CIVI-SA-2017-13 Selectedchild URL parameter not properly validated for 
CiviCRM message templates 
    CIVI-SA-2017-14 XSS in search criteria description 
    CIVI-SA-2017-15 Extension key not properly validated when adding or 
disabling or uninstalling extension 
    CIVI-SA-2017-16 SQL injection risk in CiviReports listing
    — 
https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727

-- 
Guilhem.

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: civicrm
Source-Version: 4.7.30+dfsg-1

We believe that the bug you reported is fixed in the latest version of
civicrm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 887...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov <only...@debian.org> (supplier of updated civicrm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 19 Mar 2018 08:27:36 +1100
Source: civicrm
Binary: civicrm-common civicrm-l10n wordpress-civicrm
Architecture: source all
Version: 4.7.30+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Smirnov <only...@debian.org>
Changed-By: Dmitry Smirnov <only...@debian.org>
Description:
 civicrm-common - CiviCRM common files
 civicrm-l10n - CiviCRM country and language data
 wordpress-civicrm - CiviCRM plugin for WordPress
Closes: 883640 885117 887330
Changes:
 civicrm (4.7.30+dfsg-1) unstable; urgency=medium
 .
   * New upstream release [February 2018].
     + fixed multiple XSS vulnerabilities (Closes: #887330).
     + fixed compatibility with php-symfony 3.4 (Closes: #883640).
   * No longer build "drupal7-mod-civicrm" package (Closes: #885117).
     Thanks, Gunnar Wolf.
   * Standards-Version: 4.1.3.
   * debhelper & compat to version 11.
Checksums-Sha1:
 8f3a083db6b434b3f6247afdb77732fc6414457b 3210 civicrm_4.7.30+dfsg-1.dsc
 e3e52d655c0f912a68b06b23cdf7b068c695a549 7588660 
civicrm_4.7.30+dfsg.orig-l10n.tar.xz
 98e70e07eafb50e6968cf7469a17e5ecd0e4aa6d 45496 
civicrm_4.7.30+dfsg.orig-wordpress.tar.xz
 b0cfa2ecbbb9d3a257ba8518d007fdcba31c88df 8713388 
civicrm_4.7.30+dfsg.orig.tar.xz
 f0eb1d7a26cd6434d03fdff73a97ac782651f6e9 40860 
civicrm_4.7.30+dfsg-1.debian.tar.xz
 f62d3934cb480480ff2c8ac1c34f866330c3e370 7402092 
civicrm-common_4.7.30+dfsg-1_all.deb
 d3800b9d00680aa48d978e76eb7ff979535fe3b4 8144908 
civicrm-l10n_4.7.30+dfsg-1_all.deb
 85a612301965dc68a9c08232fa6bda17a0a294f4 8806 
civicrm_4.7.30+dfsg-1_amd64.buildinfo
 7b97a1ece2cca45c2060bea3bac9bd2c30699124 729260 
wordpress-civicrm_4.7.30+dfsg-1_all.deb
Checksums-Sha256:
 3a267f087e7a55b626c04fa94b8813bf2af538bf45d68a9763e51cc4ad205285 3210 
civicrm_4.7.30+dfsg-1.dsc
 445494031608555c6c471cfea775517955764b69d4bc7da3b8ea048c069ebaf6 7588660 
civicrm_4.7.30+dfsg.orig-l10n.tar.xz
 3a96620ba57664c680101ae809288c51d08b5cf44702f8109c745cb709694527 45496 
civicrm_4.7.30+dfsg.orig-wordpress.tar.xz
 4d86ebc8b9f65362ce00bccdca94de52a2c012b63f50b01bce9f557b1a8c64e2 8713388 
civicrm_4.7.30+dfsg.orig.tar.xz
 93898ba5b7f64111df3113465598d608a628e8d91076863d4c47346565320f6f 40860 
civicrm_4.7.30+dfsg-1.debian.tar.xz
 06e78c174cd991aed9c32e191860637d40a1fbd4969e08a9a9103b7d3fd31b13 7402092 
civicrm-common_4.7.30+dfsg-1_all.deb
 54301193b2ee891b04fd2d31a9490218ff980c937dc4db645512a66bf6b94bdd 8144908 
civicrm-l10n_4.7.30+dfsg-1_all.deb
 aeabf766e923f3e277199655a14f64fda052d5874ae92047b30096f23ec0ec6f 8806 
civicrm_4.7.30+dfsg-1_amd64.buildinfo
 78fbbd3aa0ced1b215069f016eeafd1d492b382d3b28309d19ab01604f4510ac 729260 
wordpress-civicrm_4.7.30+dfsg-1_all.deb
Files:
 2314cbd456ea5b09916b2f0db7ae42ce 3210 web optional civicrm_4.7.30+dfsg-1.dsc
 eea1f5253e02daae3b3d00e63964836f 7588660 web optional 
civicrm_4.7.30+dfsg.orig-l10n.tar.xz
 5f273cb892174755c66c65afaeb36a81 45496 web optional 
civicrm_4.7.30+dfsg.orig-wordpress.tar.xz
 56956bf826320c9c653cfeaa1b9fccf9 8713388 web optional 
civicrm_4.7.30+dfsg.orig.tar.xz
 8143f791b46f3997d0445f3b0bbe6330 40860 web optional 
civicrm_4.7.30+dfsg-1.debian.tar.xz
 713bf58aa5a53e8106fcfee4a5a6f67c 7402092 web optional 
civicrm-common_4.7.30+dfsg-1_all.deb
 e3b4ca8137a3a80d55d3ac19f29fc5e3 8144908 localization optional 
civicrm-l10n_4.7.30+dfsg-1_all.deb
 9579a3c69ad8e6a7ab8c40fdf1fbcbfa 8806 web optional 
civicrm_4.7.30+dfsg-1_amd64.buildinfo
 628828bcbf0079c1cefee3bd734ba15b 729260 web optional 
wordpress-civicrm_4.7.30+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAlqu2qwACgkQUra72VOW
jRtttBAAsOEYGvdd++iB2KR0e+BdqIMSW9Inbx8/s2Oe/De/FZf8B6szUDwr3b4q
7Py/lk9bJ4WARECrLSxFplsGksuiMo8xpzauGBmZJH+XlrCHicStBxPB9HBkk+9y
X+btQ5ynz7tZnvR1iO29nzxdQ4ru1UWTDPTb1eh+wIfylzGvmcUm9o9fsjFTgENg
MccGpgYalbJPmOFBV3hcXoYHe0C5/2c/2Uywn0nfZDm7+T4hM9xS8BiUbz9Z0D0y
kyuTDkrw/iEQkXJ274/e9QTPlUKa6nl6dQ6JhwChQrzAB6eXwfgqnkO+BBaUZUZj
63JXmeiZUebJ+YODBC46K0mirNDYFMnh1zOim1vaXcXXEsmx61Jfb/gnlwZgDJuq
luAEjqtSwU7PT+d/DYaqhg1mrq7y/aHeSK07re2lAZ6NfiszyMPSZFM5GFK/tqzC
YP2axfp05A8xCQ53u2g0460QeF4k03lHYZhQSJ/CSVH7JZaEGOqcwE2VmudRH8F1
zsiSUcW3O23BLXOL4pO3AceZ/GIsc2TcnHwUDWP5tE+wmVf9ugTOd57Kfu7bVKSi
zcHufOsOjudV+/2zsZQQzys1QLHgFEXe73owmWi6n+H4G8lXoQeANkdkLg2EJFj3
zxc1pOxxjww2bPHW46G5KanmVTbRDLjEgNJCHu/y4YjrHhrBymc=
=B6Un
-----END PGP SIGNATURE-----

--- End Message ---