Bug#637584: marked as done (HTML injection)

Debian Bug Tracking System Sat, 20 Aug 2011 04:51:52 -0700

Your message dated Sat, 20 Aug 2011 11:47:18 +0000
with message-id <e1quk1g-0004ag...@franck.debian.org>
and subject line Bug#637584: fixed in dtc 0.34.1-1
has caused the Debian Bug report #637584,
regarding HTML injection
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
637584: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637584
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: src:dtc
Version: 0.32.10-2
Severity: grave
Tags: security upstream

dtc does not escape variables in HTML output in many places.  An example
is the "Domain root TXT record:" field on the "DNS and MX" page where it
is possible to enter values such as

  This is fun."><strong>Isn't it?</strong><input type="hidden

In combination with JavaScript and asking the admin to visit the page
under some pretense this can probably give interesting results.

Ansgar

--- End Message ---

--- Begin Message ---

Source: dtc
Source-Version: 0.34.1-1

We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:

dtc-autodeploy_0.34.1-1_all.deb
  to main/d/dtc/dtc-autodeploy_0.34.1-1_all.deb
dtc-common_0.34.1-1_all.deb
  to main/d/dtc/dtc-common_0.34.1-1_all.deb
dtc-core_0.34.1-1_all.deb
  to main/d/dtc/dtc-core_0.34.1-1_all.deb
dtc-cyrus_0.34.1-1_all.deb
  to main/d/dtc/dtc-cyrus_0.34.1-1_all.deb
dtc-dos-firewall_0.34.1-1_all.deb
  to main/d/dtc/dtc-dos-firewall_0.34.1-1_all.deb
dtc-postfix-courier_0.34.1-1_all.deb
  to main/d/dtc/dtc-postfix-courier_0.34.1-1_all.deb
dtc-postfix-dovecot_0.34.1-1_all.deb
  to main/d/dtc/dtc-postfix-dovecot_0.34.1-1_all.deb
dtc-stats-daemon_0.34.1-1_all.deb
  to main/d/dtc/dtc-stats-daemon_0.34.1-1_all.deb
dtc-toaster_0.34.1-1_all.deb
  to main/d/dtc/dtc-toaster_0.34.1-1_all.deb
dtc_0.34.1-1.diff.gz
  to main/d/dtc/dtc_0.34.1-1.diff.gz
dtc_0.34.1-1.dsc
  to main/d/dtc/dtc_0.34.1-1.dsc
dtc_0.34.1.orig.tar.gz
  to main/d/dtc/dtc_0.34.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 637...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated dtc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Aug 2011 09:04:11 +0800
Source: dtc
Binary: dtc-common dtc-dos-firewall dtc-postfix-dovecot dtc-core dtc-cyrus 
dtc-postfix-courier dtc-stats-daemon dtc-toaster dtc-autodeploy
Architecture: source all
Version: 0.34.1-1
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <z...@debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description: 
 dtc-autodeploy - Autodeploy the DTC in a single non-interactive debconf command
 dtc-common - web control panel for admin and accounting hosting services (comm
 dtc-core   - web control panel for admin and accounting hosting services (fewe
 dtc-cyrus  - web control panel for admin and accounting hosting services (cyru
 dtc-dos-firewall - small anti-DoS firewall script for your web, ftp and mail 
servers
 dtc-postfix-courier - web control panel for admin and accounting hosting 
services (more
 dtc-postfix-dovecot - meta package to setup a minimal DTC server with Dovecot
 dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
 dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 566654 599087 633617 637469 637477 637485 637487 637498 637505 637537 
637584 637617 637618 637629
Changes: 
 dtc (0.34.1-1) unstable; urgency=high
 .
   * New upstream version with lots of security fixes:
     - Passwords are now hashed (Closes: #566654).
     - The addrlink is now checked properly, thanks to Ansgar Burchardt
     <ans...@debian.org> for reporting it (Closes: #637487).
     - Mailing lists tunables options are now correcly escaped before the files
     are being written with an echo, thanks to Ansgar Burchardt
     <ans...@debian.org> for reporting it (Closes: #637477).
     - Removed sourceless built of OSX mod_log_sql, removed unwanted iglobalwall
     useless files, thanks to Ansgar Burchardt <ans...@debian.org> for reporting
     it (Closes: #637469).
     - Fixes logPushlet input checking, thanks to Mike O'Connor <s...@vireo.org>
     for reporting it (Closes: #637498).
     - Removes grayboard skin as it is missing some js scripts, thanks to Mike
     O'Connor <s...@vireo.org> for reporting it (Closes: #637505).
     - Sets apache2.conf not to be world readable because it contains the
     password for accessing the dtcdaemon database (Closes: #637485).
     - Adds output escaping in the DNS & MX form (Closes: #637584).
     - Install now does chmod 640 /var/log/dtc.log chown root:adm
     /var/log/dtc.log (Closes: #637617).
     - Checks for validity of package name in the package installer before
     installing a package (Closes: #637629).
     - Now using a dtc-chroot-wrapper to avoid giving a too permissive access
     to chrootuid, which was giving root access to apache (Closes: #637618).
     - Don't use htpasswd -b, since it's showing the password on a ps. Using
     crypt() and fwrite() now. (Closes: #637537).
   * Added ja.po debconf translation thanks to Hideki Yamane
     <henr...@debian.org> (Closes: #599087).
   * Changed reference to mysql-server-5.0 to mysql-server-5.1, thanks to
     Mike O'Connor <s...@vireo.org> for reporting it (Closes: #633617).
Checksums-Sha1: 
 075e5523539dc632549c4cc114cbad273fbc3f3f 1243 dtc_0.34.1-1.dsc
 7f2d9cddb5373a97b769e6c431b9e28dc1e85fa8 8195790 dtc_0.34.1.orig.tar.gz
 b2ace6b766203848c5ab234aa1179c3b160eb416 91084 dtc_0.34.1-1.diff.gz
 9598121571e4d6d757ab2d3fd6dbe78f28cd9912 2428700 dtc-common_0.34.1-1_all.deb
 9aee43c855853d457e15fac2c5a263443e78190f 32538 
dtc-dos-firewall_0.34.1-1_all.deb
 efee999fd6f867faea7bf61066859bdd10a69878 30940 
dtc-postfix-dovecot_0.34.1-1_all.deb
 5995f91a319fec8ba75857731b0d3daba1923379 30994 dtc-core_0.34.1-1_all.deb
 387594afed847e167fa86c8cf8369d0d56c88e0c 31080 dtc-cyrus_0.34.1-1_all.deb
 c2ff3fb9406274a4a8e25b7fecb43edb21b4d35a 31098 
dtc-postfix-courier_0.34.1-1_all.deb
 626e4325bf7481c1bd2e3a9f802c30b5047946b9 37470 
dtc-stats-daemon_0.34.1-1_all.deb
 5d6387aa198b5e4f4614385d163c14f50e0bdace 30972 dtc-toaster_0.34.1-1_all.deb
 0adef915d634fa50a2ce58e446347635058a548b 34310 dtc-autodeploy_0.34.1-1_all.deb
Checksums-Sha256: 
 b752a496b2a5ea2b3b44a53eb89377bdfb02bc0d87eb9b5913cc755516bab7d3 1243 
dtc_0.34.1-1.dsc
 5e7822c0e61f297bcdfa5f854a66955e612287117c2733b1394b50ac50846626 8195790 
dtc_0.34.1.orig.tar.gz
 6e44a929931ad58f022a3c2fe3726d175e28b8fd85576970f3c8e3cc1167c0a6 91084 
dtc_0.34.1-1.diff.gz
 09057caf79af0ba5c9d58b6fcd5e2e83ca931dd3e6cc1e1ac7c36476ddd1197f 2428700 
dtc-common_0.34.1-1_all.deb
 b0d327ae55a23b4d395b6c764668282508d6ceefc9ebc5f447efa1b265a86338 32538 
dtc-dos-firewall_0.34.1-1_all.deb
 4a3cf4cb4fb2568a0ec1bd7d9ea9fbd58c11138af924b16851933ace6e19decf 30940 
dtc-postfix-dovecot_0.34.1-1_all.deb
 d5e23b6ddb212a80782d321fc67e5901c2b5bc8f8029874115035096aa09eb12 30994 
dtc-core_0.34.1-1_all.deb
 3b6894142368cd982f1aa3ec108d4ce9e9f76c8f30cb02910f56f0605e9ac482 31080 
dtc-cyrus_0.34.1-1_all.deb
 3317ccc9b6346c1899c138dffa6783451a68023b3cf8304a3f830003645bb1de 31098 
dtc-postfix-courier_0.34.1-1_all.deb
 5666404a689f3af50acbafcf028de5f97ddcd70bd237d13d79272887a4c0af4a 37470 
dtc-stats-daemon_0.34.1-1_all.deb
 7fce77b35fb440f8675dfcbd8b1f0074e1e05d662c4c19f4186fc2541e372e3a 30972 
dtc-toaster_0.34.1-1_all.deb
 181ef8bd2dc281dd4fe38075c8115c1c8e74cc91d4d599c7ac36427bb5e0e0bc 34310 
dtc-autodeploy_0.34.1-1_all.deb
Files: 
 4693b32cfd5cd3872f2d1de8d3382d08 1243 admin extra dtc_0.34.1-1.dsc
 c4c1ec026296f2e75a5054dc845fe77b 8195790 admin extra dtc_0.34.1.orig.tar.gz
 d9eeb3f8ba4f77faa95997adaace882b 91084 admin extra dtc_0.34.1-1.diff.gz
 7452c7bb25e33d7a70c06c013a16a9dd 2428700 admin extra 
dtc-common_0.34.1-1_all.deb
 08b4211e2a003580b97d0316aa6277c4 32538 admin extra 
dtc-dos-firewall_0.34.1-1_all.deb
 9fe0890ff9d6b66a3cda70dee3ef7d61 30940 admin extra 
dtc-postfix-dovecot_0.34.1-1_all.deb
 8cb49a88dc37819242b10efce2b147d2 30994 admin extra dtc-core_0.34.1-1_all.deb
 3a91932a4f9f4529cb2911f28ade222e 31080 admin extra dtc-cyrus_0.34.1-1_all.deb
 29deb66619c5f9bb4476b99f927309f8 31098 admin extra 
dtc-postfix-courier_0.34.1-1_all.deb
 0a741750e67e056b5565b71b1bf60de5 37470 admin extra 
dtc-stats-daemon_0.34.1-1_all.deb
 e634ee96a0ae0c1a35a7a0e6c1472732 30972 admin extra dtc-toaster_0.34.1-1_all.deb
 31f043aff445dec66e910d3c9644cdbe 34310 admin extra 
dtc-autodeploy_0.34.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5P4UYACgkQl4M9yZjvmkkinACfRS4V970BAItweGiSVGPZIMlI
rNAAnReg8FAJjkPuNSaa/Y3zOXicz0c3
=bu2M
-----END PGP SIGNATURE-----

--- End Message ---

Bug#637584: marked as done (HTML injection)

Reply via email to