OpenPKG-SA-2003.009-w3m.txt

Ralf S. Engelschall Tue, 18 Feb 2003 04:32:01 -0800

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   18-Feb-2003 13:32:59
  Branch: HEAD                             Handle: 2003021812325800

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.009-w3m.txt

  Log:
    final par(1) formatting and use non-escaped URLs

  Summary:
    Revision    Changes     Path
    1.3         +11 -11     openpkg-web/security/OpenPKG-SA-2003.009-w3m.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.009-w3m.txt
  ============================================================================
  $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2003.009-w3m.txt
  --- openpkg-web/security/OpenPKG-SA-2003.009-w3m.txt  18 Feb 2003 12:13:40 -0000     
 1.2
  +++ openpkg-web/security/OpenPKG-SA-2003.009-w3m.txt  18 Feb 2003 12:32:58 -0000     
 1.3
  @@ -20,17 +20,17 @@
   
   Description:
     According to Hironori Sakamoto, one of the w3m developers, two
  -  security vulnerabilities exist in w3m [0]. Releases before 0.3.2.1 do
  -  not escape an HTML tag in a frame, which allows remote attackers to
  -  access files or cookies [1].  Releases before 0.3.2.2 do not properly
  -  escape HTML tags in the ALT attribute of an IMG tag, which could allow
  -  remote attackers to access files or cookies [2].  The Common
  -  Vulnerabilities and Exposures (CVE) project assigned the ids
  -  CAN-2002-1335 [3] and CAN-2002-1348 [4] to these problems.  We have
  +  security vulnerabilities exist in w3m [0]. Releases before 0.3.2.1
  +  do not escape an HTML tag in a frame, which allows remote attackers
  +  to access files or cookies [1]. Releases before 0.3.2.2 do not
  +  properly escape HTML tags in the ALT attribute of an IMG tag, which
  +  could allow remote attackers to access files or cookies [2]. The
  +  Common Vulnerabilities and Exposures (CVE) project assigned the ids
  +  CAN-2002-1335 [3] and CAN-2002-1348 [4] to these problems. We have
     backported the patch to the 0.3.1 release.
   
  -  Please check whether you are affected by running "<prefix>/bin/rpm -q
  -  w3m". If you have the "w3m" package installed and its version is
  +  Please check whether you are affected by running "<prefix>/bin/rpm
  +  -q w3m". If you have the "w3m" package installed and its version is
     affected (see above), we recommend that you immediately upgrade it
     (see Solution) [5][6].
   
  @@ -56,8 +56,8 @@
   
   References:
     [0] http://w3m.sourceforge.net/
  -  [1] http://mi.med.tohoku.ac.jp/%7Esatodai/w3m-dev-en/200211.month/838.html
  -  [2] http://mi.med.tohoku.ac.jp/%7Esatodai/w3m-dev-en/200212.month/843.html
  +  [1] http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200211.month/838.html
  +  [2] http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200212.month/843.html
     [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1335
     [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1348
     [5] http://www.openpkg.org/tutorial.html#regular-source
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.009-w3m.txt

Reply via email to