Re: [SECURITY] [DSA-2158-1] cgiirc security update
Hi, On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: Michael Brooks (Sitewatch) discovered a reflective XSS flaw in cgiirc, a web based IRC client, which could lead to the execution of arbitrary javascript. For the old-stable distribution (lenny), this problem has been fixed in version 0.5.9-3lenny1. For the stable distribution (squeeze), and unstable distribution (sid), this problem will be fixed shortly. We recommend that you upgrade your cgiirc packages. why wasn't this fixed (e.g. through an NMU) in unstable, too? The announcement doesn't even mention unstable albeit it's the same version. Of course there would be a propagation from stable to testing and unstable if their version is lower at point release time. But if an issue is severe enough to warrant a DSA release, unstable shouldn't be left unfixed, IMO; especially if the point release doesn't happen for quite some time. Kind regards Philipp Kern signature.asc Description: Digital signature
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wed, Feb 23, 2011 at 10:12:08AM +0100, Philipp Kern wrote: why wasn't this fixed (e.g. through an NMU) in unstable, too? The announcement doesn't even mention unstable albeit it's the same version. sarcasm We currently seem to have a slightly better protection for the unstable package; it doesn't work at all (at least for me). *** An error occurred: Program ending: Bad arg length for Socket::inet_ntoa, length is 0, should be 4 at /usr/lib/cgi-bin/cgiirc/nph-irc.cgi line 673, IP line 7. /sarcasm I'm not sure if that might be IPv6 related. There's some upstream activity so it would be nice to know if des@d.o is already known to be MIA before pushing this for removal or orphan the package. Sven -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223141123.GA10794@marvin
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wed, Feb 23, 2011 at 03:11:23PM +0100, Sven Hoexter wrote: On Wed, Feb 23, 2011 at 10:12:08AM +0100, Philipp Kern wrote: why wasn't this fixed (e.g. through an NMU) in unstable, too? The announcement doesn't even mention unstable albeit it's the same version. There's some upstream activity so it would be nice to know if des@d.o is already known to be MIA before pushing this for removal or orphan the package. He is not marked as MIA, but we will ping him to see if it is ok to orpan this package. Cheers -- René on Behalf of MIA team signature.asc Description: Digital signature
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote: Hi, On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: Michael Brooks (Sitewatch) discovered a reflective XSS flaw in cgiirc, a web based IRC client, which could lead to the execution of arbitrary javascript. For the old-stable distribution (lenny), this problem has been fixed in version 0.5.9-3lenny1. For the stable distribution (squeeze), and unstable distribution (sid), this problem will be fixed shortly. We recommend that you upgrade your cgiirc packages. why wasn't this fixed (e.g. through an NMU) in unstable, too? The announcement doesn't even mention unstable albeit it's the same version. Updating packages in unstable is in Debian the primary responsibility of the package maintainer. The security team tries to address issues in stable, oldstable and, in second instance, testing; unstable is addressed mostly as a way to ensure the issue is eventually fixed in testing. I understand your concern about unstable, but I would advise that you do not use unstable for critical systems, and our FAQ advises that too: http://www.debian.org/security/faq#unstable In the ideal world all suites are fixed simultaneously, and many times in the case of MIA maintainers unstable is also fixed by a member of the (testing) security team, mostly with an eye to fix testing via migration. So the security situation of unstable is mostly very decent. However, of all suites unstable obviously is not the priority. We use the security tracker to ensure that we know which packages still need fixing in testing. especially if the point release doesn't happen for quite some time. It was probably not a consideration in this case, but the next point release is scheduled within a week or two. Thijs signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DSA-2158-1] cgiirc security update
Hi, Steve Kemp wrote: Debian Security Advisory DSA-2158-1 secur...@debian.org http://www.debian.org/security/ Steve Kemp February 9, 2011 http://www.debian.org/security/faq Package: cgiirc Vulnerability : cross-site scripting Problem type : local Debian-specific: no CVE ID : CVE-2011-0050 Michael Brooks (Sitewatch) discovered a reflective XSS flaw in cgiirc, a web based IRC client, which could lead to the execution of arbitrary javascript. For the old-stable distribution (lenny), this problem has been fixed in version 0.5.9-3lenny1. This package does not yet show up in Lenny. According to http://packages.debian.org/search?keywords=cgiirc 0.5.9-3lenny1 has been uploaded to squeeze's security repo only. Can you please upload it to Lenny, too? Regards, Axel -- ,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `-| 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110211093746.gj12...@sym.noone.org
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Fri Feb 11, 2011 at 10:37:46 +0100, Axel Beckert wrote: This package does not yet show up in Lenny. According to http://packages.debian.org/search?keywords=cgiirc 0.5.9-3lenny1 has been uploaded to squeeze's security repo only. Yes - this has been a bit of a mess, due to the release occurring during the middle of the preparation and release of the update. I'm uploading for lenny/old-security now. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110211102255.ga1...@steve.org.uk
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: Package: cgiirc Vulnerability : cross-site scripting Problem type : local Debian-specific: no CVE ID : CVE-2011-0050 Michael Brooks (Sitewatch) discovered a reflective XSS flaw in cgiirc, a web based IRC client, which could lead to the execution of arbitrary javascript. For the old-stable distribution (lenny), this problem has been fixed in version 0.5.9-3lenny1. For the stable distribution (squeeze), and unstable distribution (sid), this problem will be fixed shortly. No sign of this yet on security.debian.org for lenny, but http://packages.qa.debian.org/c/cgiirc.html says that 0.5.9-3lenny1 is in stable-sec (which is of course squeeze-sec now), so it looks like this package went to the wrong distribution (although as both lenny and squeeze had 0.5.9-3 previously this may not be a disaster). Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110210121700.gz4...@urchin.earth.li