On Sun, Jan 09, 2011 at 11:39:42AM -0600, Martin Pitt wrote:
> tag 608822 confirmed upstream
> forwarded 608822 http://bugs.calibre-ebook.com/ticket/7980
> thanks
>
> Hello Moritz,
>
> Moritz Muehlenhoff [2011-01-03 19:11 +0100]:
> > there's been an advisory on calibre. I'm not sure, whether it
> > actually applies to the Debian package, is the content server
> > distributed in the Debian package? Please check.
> >
> > http://www.waraxe.us/advisory-77.html
>
> Thanks for pointing this out. This indeed affects the Debian packages
> as well. The first described vuln (path traversal) got fixed upstream
> in 0.7.35, I have 0.7.38 ready for upload.
>
> However, it seems that upstream missed the second one (the XSS). I
> pinged him again in the corresponding bug:
>
> http://bugs.calibre-ebook.com/ticket/7980
>
> The path traversal is fixed with this patch:
>
> http://bazaar.launchpad.net/~kovid/calibre/trunk/revision/7302
>
> which looks easily backportable to the 0.7.7 version in testing. But
> before I prepare this, I'd like to see the XSS fixed as well.
Now that both issues are adressed, could you please prepare a tpu
fix?
Thanks,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
