tag 608822 confirmed upstream forwarded 608822 http://bugs.calibre-ebook.com/ticket/7980 thanks
Hello Moritz, Moritz Muehlenhoff [2011-01-03 19:11 +0100]: > there's been an advisory on calibre. I'm not sure, whether it > actually applies to the Debian package, is the content server > distributed in the Debian package? Please check. > > http://www.waraxe.us/advisory-77.html Thanks for pointing this out. This indeed affects the Debian packages as well. The first described vuln (path traversal) got fixed upstream in 0.7.35, I have 0.7.38 ready for upload. However, it seems that upstream missed the second one (the XSS). I pinged him again in the corresponding bug: http://bugs.calibre-ebook.com/ticket/7980 The path traversal is fixed with this patch: http://bazaar.launchpad.net/~kovid/calibre/trunk/revision/7302 which looks easily backportable to the 0.7.7 version in testing. But before I prepare this, I'd like to see the XSS fixed as well. Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
