Your message dated Wed, 08 Feb 2023 09:36:34 +0000
with message-id <e1ppgsu-009srv...@fasolo.debian.org>
and subject line Bug#1026992: fixed in graphite-web 1.1.8-1.1
has caused the Debian Bug report #1026992,
regarding graphite-web: CVE-2022-4728 CVE-2022-4729 CVE-2022-4730
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1026992: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026992
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: graphite-web
Version: 1.1.8-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for graphite-web.

Filling with RC severity is slightly borderline, but we should assure
graphite-web is oon that regard uptodate in bookworm.

CVE-2022-4728[0]:
| A vulnerability has been found in Graphite Web and classified as
| problematic. This vulnerability affects unknown code of the component
| Cookie Handler. The manipulation leads to cross site scripting. The
| attack can be initiated remotely. The exploit has been disclosed to
| the public and may be used. The name of the patch is
| 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a
| patch to fix this issue. VDB-216742 is the identifier assigned to this
| vulnerability.


CVE-2022-4729[1]:
| A vulnerability was found in Graphite Web and classified as
| problematic. This issue affects some unknown processing of the
| component Template Name Handler. The manipulation leads to cross site
| scripting. The attack may be initiated remotely. The exploit has been
| disclosed to the public and may be used. The name of the patch is
| 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a
| patch to fix this issue. The associated identifier of this
| vulnerability is VDB-216743.


CVE-2022-4730[2]:
| A vulnerability was found in Graphite Web. It has been classified as
| problematic. Affected is an unknown function of the component Absolute
| Time Range Handler. The manipulation leads to cross site scripting. It
| is possible to launch the attack remotely. The exploit has been
| disclosed to the public and may be used. The name of the patch is
| 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a
| patch to fix this issue. The identifier of this vulnerability is
| VDB-216744.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-4728
    https://www.cve.org/CVERecord?id=CVE-2022-4728
[1] https://security-tracker.debian.org/tracker/CVE-2022-4729
    https://www.cve.org/CVERecord?id=CVE-2022-4729
[2] https://security-tracker.debian.org/tracker/CVE-2022-4730
    https://www.cve.org/CVERecord?id=CVE-2022-4730

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: graphite-web
Source-Version: 1.1.8-1.1
Done: Christoph Martin <mar...@uni-mainz.de>

We believe that the bug you reported is fixed in the latest version of
graphite-web, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1026...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <mar...@uni-mainz.de> (supplier of updated graphite-web 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Feb 2023 15:42:01 +0100
Source: graphite-web
Architecture: source
Version: 1.1.8-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Graphite Group <team+debian-graphite-t...@tracker.debian.org>
Changed-By: Christoph Martin <mar...@uni-mainz.de>
Closes: 1026992
Changes:
 graphite-web (1.1.8-1.1) unstable; urgency=medium
 .
   * NMU
   * CVE-2022-4728, CVE-2022-4729 & CVE-2022-4730: Prevent a series of
     cross-site scripting (XSS) vulnerabilties that could have been exploited
     remotely. Issues existed in the Cookie Handler, Template Name Handler and
     Absolute Time Range Handler components. (Closes: #1026992)
Checksums-Sha1:
 92c0ae9a05f6c797fe809a5267d124827ec931d9 2261 graphite-web_1.1.8-1.1.dsc
 562ccbe2466bcd150b3863e162b05d5537cd9de1 1177214 graphite-web_1.1.8.orig.tar.gz
 924a3bb38ddba7041ebc223f4d7369a24f1c242a 228080 
graphite-web_1.1.8-1.1.debian.tar.xz
 8d5c4156d584da13d7b44046c973c6f42da3adc3 9104 
graphite-web_1.1.8-1.1_amd64.buildinfo
Checksums-Sha256:
 e8de3fe032e6fc1a5cada0f2a8140e392f7f5cf182c5707cd1f68a0073af1de7 2261 
graphite-web_1.1.8-1.1.dsc
 54240b0f1e069b53e2ce92d4e534e21b195fb0ebd64b6ad8a49c44284e3eb0b1 1177214 
graphite-web_1.1.8.orig.tar.gz
 e6ad37c114f822d416c552232de77cfaa15d78a5fcf3a4491552063f6a7eebfb 228080 
graphite-web_1.1.8-1.1.debian.tar.xz
 29ef800bcaa1f86fbbb15dcbc2b981913dee0f996f33dbd38983705a6f15e2a2 9104 
graphite-web_1.1.8-1.1_amd64.buildinfo
Files:
 0afc1f3b6239dff93d794fd504daa089 2261 web extra graphite-web_1.1.8-1.1.dsc
 088cba7cf97062e101f6c1565fc4c050 1177214 web extra 
graphite-web_1.1.8.orig.tar.gz
 76388533a895162aa52cf8c10d6ddd48 228080 web extra 
graphite-web_1.1.8-1.1.debian.tar.xz
 239b047399e440a91749eb2b80b67f14 9104 web extra 
graphite-web_1.1.8-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt1cFkfJ3DVbrq4cu7mlEXgxb5BcFAmPjagYACgkQ7mlEXgxb
5BeGHA/+NAXNOJ7w+Zqpx6QCYVI+tzm3AE8YsIItnl5EQxOVR6bz8TwW85Bs9C9G
W/dbmKtqMz7WVlw0rfJ6RDXIJeQT7Pvolrp/yxbieWeZJ84ajyzHzj5vDScy+AOh
BFL30QPRqjpbbDII5448J1q/C6o9hpGW7ATNMOK/6IKqLpPv3zRyRFb+KKDZvHhq
O9altErYl/eP0l0+Wa9NAE21PpJnMfCdhJdbg8xBfk22wjvMy4ljcStLk0dJazMY
onHX7/YGbX0VYDCGIFqUHDiHAPqhTiVHCSGI69igK2Zl5RIWv51l2vsuNw5KVcL8
c5ITOHrDZLiV954VRvyMjr4YYQhm9f88Chxz50YFbuQKR1opcYav+qW5V8Y97VAI
T8LCNXtWQ3/jn0TiMpJvvaOyzMh7RyTAL1rU5wIpfZU2EYwV6WCye436XOJOeYML
T4aLdycqX3K1eJOTrXn6y/Ie37LJqzgKNm+4uHqWm6GrOoFlU2auYSNr3Vz/KOpE
VidKUtrkbhBRYqF4qCaKZLaSnxcWpdt7k2ssg4x/zGQX5iRW1hV2msQKTPHVn1pe
7WHnoOORiTACiRnUi5ysEuoj4EQxaa6+mIq1WjuD3LMumJrRE5mZjd7wgj0NZZDu
Rq9nTyXLr0/lUxmRoTS7Cvw2b5faSDro77GBs/TNOGoRSOiKnlw=
=WIyC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to