Bug#661993: CVE-2011-2191: persistent CSRF on admin interface
Package: src:cherokee Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.8) - use target "oldstable" Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/661993/ 2: <201101232332.11736.th...@debian.org> 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#661993: CVE-2011-2191: persistent CSRF on admin interface
tags 661993 + upstream, help, confirmed Hi, Although the impact of this security bug is not too high (as a series of conditions should be present, which are usually not there), it is a real bug with real implications. I am tempted to downgrade it, as it is only dangerous in very specific situations, but at least for now I'll leave it as serious. The upstream author is informed about this bug, but has not been able to find a way to fix it while keeping cherokee-admin's full functionality: http://www.openwall.com/lists/oss-security/2011/06/06/13 The RedHat bugtracker lists this bug as dealt with, but it seems to me it regards just one of the two defects reported in the bug – And not this one: https://bugzilla.redhat.com/show_bug.cgi?id=713304 Thanks, signature.asc Description: Digital signature
Bug#661993: CVE-2011-2191: persistent CSRF on admin interface
Source: cherokee Version: 1.2.101-1 Severity: serious Tags: security References: CVE-2011-2191 https://bugs.launchpad.net/ubuntu/+source/cherokee/+bug/784632 https://bugzilla.redhat.com/show_bug.cgi?id=713304 Please verify whether the issue is still present in the package. A quick look at admin/PageVServers.py suggests that this is the case, because the Commit function stores new_nick without any validation. Even though the value is escaped on some accesses admin/PageStatus.py Render_Content does not perform escaping. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
