Debian: New gnatsweb packages fix cross-site scripting
Summary
- ------------------------------------------------------------------------Debian Security Advisory DSA-1486-1 security@debian.org http://www.debian.org/security/ Steve Kemp February 04, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------Package : gnatsweb Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2808 Debian Bug : 427156 "r0t" discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitize the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or javascript code. For the stable distribution (etch), this problem has been fixed in version 4.00-1etch1. We recommend that you upgrade your gnatsweb package. Upgrade instructions - --------------------wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - -------------------------------Source archives: Size/MD5 checksum: 566 2f4db4f88a4018f68c19598e9b3781e1 Size/MD5 checksum: 87656 1d715610ea05ad3aa498d20158b01667 Size/MD5 checksum: 2396 82f3180801f111b682a8e94c41c2627c Architecture independent packages: Size/MD5 checksum: 56190 2decb55d6c8e571474b4375394fc14f0 These files will probably be moved into the stable distribution on its next update. - ---------------------------------------------------------------------------------For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org