Your message dated Wed, 21 Mar 2018 17:41:20 +0000 with message-id <e1eyhjk-0007e1...@fasolo.debian.org> and subject line Bug#881796: fixed in pluxml 5.6-1 has caused the Debian Bug report #881796, regarding CVE-2017-1001001: pluxml: XSS and missing httponly flag to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881796 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pluxml Version: 5.5-2 Severity: grave Tags: security upstream https://nvd.nist.gov/vuln/detail/CVE-2017-1001001 https://github.com/pluxml/PluXml/issues/253 PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. Two problems: - Cross-site scripting vulnerability with "writer" role - Missing HttpOnly flag -- Henri Salosignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: pluxml Source-Version: 5.6-1 We believe that the bug you reported is fixed in the latest version of pluxml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 881...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tanguy Ortolo <tanguy+deb...@ortolo.eu> (supplier of updated pluxml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Mar 2018 10:48:19 +0100 Source: pluxml Binary: pluxml Architecture: source all Version: 5.6-1 Distribution: unstable Urgency: medium Maintainer: Tanguy Ortolo <tanguy+deb...@ortolo.eu> Changed-By: Tanguy Ortolo <tanguy+deb...@ortolo.eu> Description: pluxml - light blog/CMS engine powered by XML Closes: 855162 881796 Changes: pluxml (5.6-1) unstable; urgency=medium . * New upstream release. * debian/po/es.po: Update Spanish translation. (Closes: #855162) * debian/postinst: - add new config parameter bypage_tags. - update the software version parameter in the generated configuration file. * debian/patches: - fix-mandatory-captcha.patch: remove patch applied upstream. - mitigate_CVE-2017-1001001.patch: mitigate a security issue CVE-2017-1001001 (Closes: #881796) * debian/compat: use debhelper compatibility level 11. * debian/control: - depend on debhelper >= 9. - switch priority from extra (deprecated) to optional. - add Rules-Requires-Root: binary-targets, necessary to run chmod and chown in debian/rules. - add default-mta to the recommends. - update Standards-Version to 4.1.3 (changes required). * debian/copyright: use a secure format URL. * debian/rules: remove inappropriate exec rights on a PHP class file. * debian/source/lintian-overrides: remove obsolete overrides. Checksums-Sha1: fbe30fc30ebf6250b77d8673093dc3b6e5f7304d 1794 pluxml_5.6-1.dsc 4b883327a9fb7332fca1476764596dde2a66ea2f 300708 pluxml_5.6.orig.tar.gz 5127526336ef903a982de4fe9c64b175a04a7407 32256 pluxml_5.6-1.debian.tar.xz 0e1ecd678c2f618cb8b9ed4997278512f9fe8bbb 236956 pluxml_5.6-1_all.deb 91e8aea4106976a98a92a21ff54c7fb2a9d266fd 6418 pluxml_5.6-1_amd64.buildinfo Checksums-Sha256: cf40cdbfd3c303d1e4f8e9d4dbc6d6118df1754260e3cf282b52e518fcad3590 1794 pluxml_5.6-1.dsc 2443dff5531abdf5d2dd91364946aa13420d88d61a4781b298e14d88ef2cfc3e 300708 pluxml_5.6.orig.tar.gz 563b779a3e40bb510021085884b86dd4a95375fb42b41868cc1e1fb366c29cff 32256 pluxml_5.6-1.debian.tar.xz 7a51a8299ff4d19ee8a985d9b3b91f63ffe55d5695e21c243e89d995139e9ade 236956 pluxml_5.6-1_all.deb 3d349a99d2cf9d62398de57446d8289057ef97830bd7f0540a609361e413c8a9 6418 pluxml_5.6-1_amd64.buildinfo Files: 65e237367cbe039edf4936fcf655da37 1794 web optional pluxml_5.6-1.dsc 1663b67b1ca83f9c70047819b5d2c4ea 300708 web optional pluxml_5.6.orig.tar.gz a9b580caf7448faf36e1236ed45ff173 32256 web optional pluxml_5.6-1.debian.tar.xz 3e6a0747f68a4a989317fd69e540f26c 236956 web optional pluxml_5.6-1_all.deb c741a89b2441c8ab1d69246f99162905 6418 web optional pluxml_5.6-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEC1QNJk2lrQnjLj0t6vLNUcUAaBkFAlqyhOMACgkQ6vLNUcUA aBn79g/9Eglf4rsy/QHZuiRtci8GOQD8C1U4MBbZ62eWGuLAtsCR9442RxPhTVQG CdGrVqraX3oZtbNgeBuRoKYUnmyjaNJXtfndCFbgTn6vlvFX//8pCGR9Keg+vmA+ thkFymT/vIXzDDjb6QJJ/HhflS/KHqXknBi8k4VxzaIxjLApgx0JGPoi1Vfo5rES WxFbSnYGD1/bDQq4ShK5Ut11uo2hlrgronPPEBa6YkUHvlt+4nwkBcCP6MF7E0JF S9JcT7WqCtKxs+udAAg6eJHmzfdmmPBZ0XvngjjVGInTYkIyU6h5DXBhO1T6yZ7N TcK4k9eyOxH3KC6V0j970I9OFeZKT7cUqzuKtmWZkvdcFygTbF+WSavCq2Zpbdv/ IM5jlgAlywGPPDc75g+SeN7VeRKJTBnngouog7tAqDd4e4RjxQqrgJlH5Hl/b/Fh dfiwgIhYd8abcbvLTWJsjo+pbWI4MV0UAVo/fnDByolHHTZ3f9+7ikjdz36FJgUV 3gShwRSKAoKOgDhIkS08515y1wbLLCUzezEMtop9d2olyfcwy5SCvrUeMKaJf2rI ayFcGByIhSBsWzIZUGziVVvndW+oTgjyyN9k8XhUtoXeQUMD9rteZc49FHlzQLJe 1b4xqXr+8DDDk4fwsKmPWoP/cj5qitBK5b1QRmsdvYVUiN4lIC8= =NIMS -----END PGP SIGNATURE-----
--- End Message ---