Your message dated Wed, 08 Feb 2023 09:36:34 +0000 with message-id <e1ppgsu-009srv...@fasolo.debian.org> and subject line Bug#1026992: fixed in graphite-web 1.1.8-1.1 has caused the Debian Bug report #1026992, regarding graphite-web: CVE-2022-4728 CVE-2022-4729 CVE-2022-4730 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1026992: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026992 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: graphite-web Version: 1.1.8-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for graphite-web. Filling with RC severity is slightly borderline, but we should assure graphite-web is oon that regard uptodate in bookworm. CVE-2022-4728[0]: | A vulnerability has been found in Graphite Web and classified as | problematic. This vulnerability affects unknown code of the component | Cookie Handler. The manipulation leads to cross site scripting. The | attack can be initiated remotely. The exploit has been disclosed to | the public and may be used. The name of the patch is | 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a | patch to fix this issue. VDB-216742 is the identifier assigned to this | vulnerability. CVE-2022-4729[1]: | A vulnerability was found in Graphite Web and classified as | problematic. This issue affects some unknown processing of the | component Template Name Handler. The manipulation leads to cross site | scripting. The attack may be initiated remotely. The exploit has been | disclosed to the public and may be used. The name of the patch is | 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a | patch to fix this issue. The associated identifier of this | vulnerability is VDB-216743. CVE-2022-4730[2]: | A vulnerability was found in Graphite Web. It has been classified as | problematic. Affected is an unknown function of the component Absolute | Time Range Handler. The manipulation leads to cross site scripting. It | is possible to launch the attack remotely. The exploit has been | disclosed to the public and may be used. The name of the patch is | 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a | patch to fix this issue. The identifier of this vulnerability is | VDB-216744. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-4728 https://www.cve.org/CVERecord?id=CVE-2022-4728 [1] https://security-tracker.debian.org/tracker/CVE-2022-4729 https://www.cve.org/CVERecord?id=CVE-2022-4729 [2] https://security-tracker.debian.org/tracker/CVE-2022-4730 https://www.cve.org/CVERecord?id=CVE-2022-4730 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: graphite-web Source-Version: 1.1.8-1.1 Done: Christoph Martin <mar...@uni-mainz.de> We believe that the bug you reported is fixed in the latest version of graphite-web, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1026...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Martin <mar...@uni-mainz.de> (supplier of updated graphite-web package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Feb 2023 15:42:01 +0100 Source: graphite-web Architecture: source Version: 1.1.8-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Graphite Group <team+debian-graphite-t...@tracker.debian.org> Changed-By: Christoph Martin <mar...@uni-mainz.de> Closes: 1026992 Changes: graphite-web (1.1.8-1.1) unstable; urgency=medium . * NMU * CVE-2022-4728, CVE-2022-4729 & CVE-2022-4730: Prevent a series of cross-site scripting (XSS) vulnerabilties that could have been exploited remotely. Issues existed in the Cookie Handler, Template Name Handler and Absolute Time Range Handler components. (Closes: #1026992) Checksums-Sha1: 92c0ae9a05f6c797fe809a5267d124827ec931d9 2261 graphite-web_1.1.8-1.1.dsc 562ccbe2466bcd150b3863e162b05d5537cd9de1 1177214 graphite-web_1.1.8.orig.tar.gz 924a3bb38ddba7041ebc223f4d7369a24f1c242a 228080 graphite-web_1.1.8-1.1.debian.tar.xz 8d5c4156d584da13d7b44046c973c6f42da3adc3 9104 graphite-web_1.1.8-1.1_amd64.buildinfo Checksums-Sha256: e8de3fe032e6fc1a5cada0f2a8140e392f7f5cf182c5707cd1f68a0073af1de7 2261 graphite-web_1.1.8-1.1.dsc 54240b0f1e069b53e2ce92d4e534e21b195fb0ebd64b6ad8a49c44284e3eb0b1 1177214 graphite-web_1.1.8.orig.tar.gz e6ad37c114f822d416c552232de77cfaa15d78a5fcf3a4491552063f6a7eebfb 228080 graphite-web_1.1.8-1.1.debian.tar.xz 29ef800bcaa1f86fbbb15dcbc2b981913dee0f996f33dbd38983705a6f15e2a2 9104 graphite-web_1.1.8-1.1_amd64.buildinfo Files: 0afc1f3b6239dff93d794fd504daa089 2261 web extra graphite-web_1.1.8-1.1.dsc 088cba7cf97062e101f6c1565fc4c050 1177214 web extra graphite-web_1.1.8.orig.tar.gz 76388533a895162aa52cf8c10d6ddd48 228080 web extra graphite-web_1.1.8-1.1.debian.tar.xz 239b047399e440a91749eb2b80b67f14 9104 web extra graphite-web_1.1.8-1.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt1cFkfJ3DVbrq4cu7mlEXgxb5BcFAmPjagYACgkQ7mlEXgxb 5BeGHA/+NAXNOJ7w+Zqpx6QCYVI+tzm3AE8YsIItnl5EQxOVR6bz8TwW85Bs9C9G W/dbmKtqMz7WVlw0rfJ6RDXIJeQT7Pvolrp/yxbieWeZJ84ajyzHzj5vDScy+AOh BFL30QPRqjpbbDII5448J1q/C6o9hpGW7ATNMOK/6IKqLpPv3zRyRFb+KKDZvHhq O9altErYl/eP0l0+Wa9NAE21PpJnMfCdhJdbg8xBfk22wjvMy4ljcStLk0dJazMY onHX7/YGbX0VYDCGIFqUHDiHAPqhTiVHCSGI69igK2Zl5RIWv51l2vsuNw5KVcL8 c5ITOHrDZLiV954VRvyMjr4YYQhm9f88Chxz50YFbuQKR1opcYav+qW5V8Y97VAI T8LCNXtWQ3/jn0TiMpJvvaOyzMh7RyTAL1rU5wIpfZU2EYwV6WCye436XOJOeYML T4aLdycqX3K1eJOTrXn6y/Ie37LJqzgKNm+4uHqWm6GrOoFlU2auYSNr3Vz/KOpE VidKUtrkbhBRYqF4qCaKZLaSnxcWpdt7k2ssg4x/zGQX5iRW1hV2msQKTPHVn1pe 7WHnoOORiTACiRnUi5ysEuoj4EQxaa6+mIq1WjuD3LMumJrRE5mZjd7wgj0NZZDu Rq9nTyXLr0/lUxmRoTS7Cvw2b5faSDro77GBs/TNOGoRSOiKnlw= =WIyC -----END PGP SIGNATURE-----
--- End Message ---
