Bug#593302: marked as done (python-cjson: CVE-2009-4924 xss vulnerability)

Wed, 06 Oct 2010 10:21:20 -0700 

Your message dated Wed, 06 Oct 2010 17:17:48 +0000
with message-id <e1p3xci-0008az...@franck.debian.org>
and subject line Bug#593302: fixed in python-cjson 1.0.5-4
has caused the Debian Bug report #593302,
regarding python-cjson: CVE-2009-4924 xss vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
593302: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593302
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: python-cjson
Version: 1.0.5-1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python-cjson.

CVE-2009-4924[0]:
| Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument
| to cjson.encode, which makes it easier for remote attackers to conduct
| certain cross-site scripting (XSS) attacks involving Firefox and the
| end tag of a SCRIPT element.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4924
    http://security-tracker.debian.org/tracker/CVE-2009-4924

--- End Message ---
--- Begin Message --- 
Source: python-cjson
Source-Version: 1.0.5-4

We believe that the bug you reported is fixed in the latest version of
python-cjson, which is due to be installed in the Debian FTP archive:

python-cjson-dbg_1.0.5-4_amd64.deb
  to main/p/python-cjson/python-cjson-dbg_1.0.5-4_amd64.deb
python-cjson_1.0.5-4.debian.tar.gz
  to main/p/python-cjson/python-cjson_1.0.5-4.debian.tar.gz
python-cjson_1.0.5-4.dsc
  to main/p/python-cjson/python-cjson_1.0.5-4.dsc
python-cjson_1.0.5-4_amd64.deb
  to main/p/python-cjson/python-cjson_1.0.5-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 593...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <b...@debian.org> (supplier of updated python-cjson package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 06 Sep 2010 22:14:36 +0200
Source: python-cjson
Binary: python-cjson python-cjson-dbg
Architecture: source amd64
Version: 1.0.5-4
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team 
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Bernd Zeimetz <b...@debian.org>
Description: 
 python-cjson - Very fast JSON encoder/decoder for Python
 python-cjson-dbg - Very fast JSON encoder/decoder for Python (debug extension)
Closes: 593302
Changes: 
 python-cjson (1.0.5-4) unstable; urgency=high
 .
   * debian/patches:
     - New patch: 0002-fix-for-CVE-2009-4924
       Fixing a xss vulnerability by handling ['/'] arguments to cjson.encode
       properly.
       Closes: #593302, Fixes: CVE-2009-2924
Checksums-Sha1: 
 e3b412c4fdaa440100a123fd4bf28c3c9eff527c 2073 python-cjson_1.0.5-4.dsc
 ee7c5dc955d6e603103cdee7460920f9f14ace68 5044 
python-cjson_1.0.5-4.debian.tar.gz
 48d3d864b523b7627b38f7413b0f1edaec509eab 16282 python-cjson_1.0.5-4_amd64.deb
 05e1865311bc9362c6cfde0ad86f6111fa14ac27 67918 
python-cjson-dbg_1.0.5-4_amd64.deb
Checksums-Sha256: 
 b6fb0b973c30306288cc4171ef103658645f35d01ef0fb422b1c8754f2f96138 2073 
python-cjson_1.0.5-4.dsc
 9c09960035331bc55b114689e42b73e09615cdb7f2c23ed163c2734c7dd83e41 5044 
python-cjson_1.0.5-4.debian.tar.gz
 5acc766a251d8427a7bb7910dc6642c4a2c5e9baa7ba81e73fe9b3e85db6f5aa 16282 
python-cjson_1.0.5-4_amd64.deb
 9aa8cf8018c1f6ab33a873c411563aaa96abceba9b84caffcf739af4dddf540d 67918 
python-cjson-dbg_1.0.5-4_amd64.deb
Files: 
 3fbbee862e89b15d79a2224d1e5b897f 2073 python optional python-cjson_1.0.5-4.dsc
 c28c0de3d4b7a9a954935daae5c76f26 5044 python optional 
python-cjson_1.0.5-4.debian.tar.gz
 893bccd32b0b5c4f825508246200a591 16282 python optional 
python-cjson_1.0.5-4_amd64.deb
 f45a6289b2377b0c99d2d26478dd1f15 67918 debug extra 
python-cjson-dbg_1.0.5-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMrKpRAAoJEOs2Fxpv+UNf7msP/3rS1JYN8ORHSM0oJw85DP2o
5Nwwjg4y/dw5Mep57Kd51yveeH9gUwGG/G7j/DjsWI93o8nRTiyxFVV0L96RoGw5
qdN1RW1bEiKNBh0CjZKgQ2IuxLKdXyXox3F6cHr1Z4H33BSeE4iQooeO+62EhUDc
usmh3Yn/RmYPVgQsiBObDH1uFGhwgroRQqPfJH6OMUXKXOSrh0QadaZhUXbE6dgT
XZU2YwaO7Bqvd05znUoxOkG9V3uZcVVU96Ks4+WqQLH9z5V5b1tLa+owA5RZ7v80
thrUAhp/Q/ikfvjahQFRDdugTTPX6yFcVanpKv+JuzvjkanzvdMWTL9+4kzx8n1X
K5spVqu82TyrKcCy2/9yJAx60CvmPkUC3CB4ZVwjldsLNR/MDPXEvml0Q3B3uM7j
mNcCSleSwWPSmyjd+i5dSDwibDwsrr4l8TT4ibgGix0Y7FhBIqf/ZQPUJbACeGS2
OtpD5yXZIPGs/qicmYGeIQ7qZFqpQjC7QbIzuBqkuyvhSwV+FaWVqATpA6T1HGet
qHQfB4AhV3Yy8My+67ST8mTEQ3HZlkTe3ukCWh6WNUUWzF+G9J2Fer61vI6vcp56
vQOS0gAbD8rQyVwuyqymEWsD4klhzMq1e1TbXGhO1m5jU0236yEQk5jN70VLtzso
1hF9uqTLLgD55jI1dqIO
=b/M3
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to