Bug#516555: CVE-2008-6059: missing access restriction
On Wed, Feb 25, 2009 at 12:38:12AM -0500, Michael Gilbert wrote: does this problem (with cookies) really affect the version of webkit in debian, which does not currently support cookies (or more accurately the libraries in debian are not current enough to support cookies in webkit)? Gustavo, Mike, can you confirm that Webkit from Lenny isn't affected by this problem? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516555: CVE-2008-6059: missing access restriction
On Sun, 26 Apr 2009 10:17:22 +0200 Moritz Muehlenhoff wrote: On Wed, Feb 25, 2009 at 12:38:12AM -0500, Michael Gilbert wrote: does this problem (with cookies) really affect the version of webkit in debian, which does not currently support cookies (or more accurately the libraries in debian are not current enough to support cookies in webkit)? Gustavo, Mike, can you confirm that Webkit from Lenny isn't affected by this problem? webkit 1.0.1-4 in lenny passes their regression test for this particular issue. after reviewing the code [1], the patches primarily appear to fix the mac- and windows-specific cookie handling code and just clean up the libsoup-related code. the linux-specific code relies on lipsoup for cookies, and since webkit 1.0.1-4 does not depend on libsoup, i would say that lenny is safe; unless webkit is falling back on one of the other cookie handlers. going forward, someone needs to check whether libsoup is vulnerable or not. i have submitted some questions upstream [2] to get their opinion. [1] http://trac.webkit.org/changeset/38566 [2] https://bugs.webkit.org/show_bug.cgi?id=10957 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516555: CVE-2008-6059: missing access restriction
does this problem (with cookies) really affect the version of webkit in debian, which does not currently support cookies (or more accurately the libraries in debian are not current enough to support cookies in webkit)? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516555: CVE-2008-6059: missing access restriction
Package: webkit Severity: important Tags: security Hi Mike, the following CVE (Common Vulnerabilities Exposures) id was published for webkit. CVE-2008-6059[0]: | xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not | properly restrict access from web pages to the (1) Set-Cookie and (2) | Set-Cookie2 HTTP response headers, which allows remote attackers to | obtain sensitive information from cookies via XMLHttpRequest calls, | related to the HTTPOnly protection mechanism. I am not quite sure that I understood the issue correctly, so I used important as the severity. Maybe you could investigate the severity and state your opinion? If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6059 http://security-tracker.debian.net/tracker/CVE-2008-6059 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org