Your message dated Mon, 30 Oct 2006 20:02:59 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#395099: fixed in torrentflux 2.1-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
package: torrentflux
severity: important
tags: security
Several vulnerabilities have been found in torrentflux:
Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.1
allow remote attackers to inject arbitrary web script or HTML via the
(1) action, (2) file, and (3) users array variables in (a) admin.php,
which are not properly handled when the administrator views the
Activity Log; and the (2) torrent parameter, as used by the
displayName variable, in (b) startpop.php, different vectors than
CVE-2006-5227.
See
http://www.stevenroddis.com.au/2006/10/13/torrentflux-startpopphp-torrent-script-insertion/
http://www.stevenroddis.com.au/2006/10/17/torrentflux-action-script-insertion/
http://www.stevenroddis.com.au/2006/10/17/torrentflux-file-script-insertion/
http://www.stevenroddis.com.au/2006/10/17/torrentflux-user_id-script-insertion/
Please mention the CVE id in the changelog.
--- End Message ---
--- Begin Message ---
Source: torrentflux
Source-Version: 2.1-5
We believe that the bug you reported is fixed in the latest version of
torrentflux, which is due to be installed in the Debian FTP archive:
torrentflux_2.1-5.diff.gz
to pool/main/t/torrentflux/torrentflux_2.1-5.diff.gz
torrentflux_2.1-5.dsc
to pool/main/t/torrentflux/torrentflux_2.1-5.dsc
torrentflux_2.1-5_all.deb
to pool/main/t/torrentflux/torrentflux_2.1-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cameron Dale <[EMAIL PROTECTED]> (supplier of updated torrentflux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 28 Oct 2006 16:40:53 -0700
Source: torrentflux
Binary: torrentflux
Architecture: source all
Version: 2.1-5
Distribution: unstable
Urgency: high
Maintainer: Cameron Dale <[EMAIL PROTECTED]>
Changed-By: Cameron Dale <[EMAIL PROTECTED]>
Description:
torrentflux - web based, feature-rich BitTorrent download manager
Closes: 395099 395930
Changes:
torrentflux (2.1-5) unstable; urgency=high
.
* Updated 06_sanitize_html_entities to fix the security
issue CVE-2006-5451, urgency set to high (Closes: #395099)
* Fixed the directroy traversal vulnerability (Closes: #395930)
Files:
bcf6b93c4437f7f4eba15e25452a6940 629 web optional torrentflux_2.1-5.dsc
9bf55b485cd0634b6e29b87f7ecc2856 38600 web optional torrentflux_2.1-5.diff.gz
5267b4a7f17b577157a150bf636a1eb8 430240 web optional torrentflux_2.1-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFRsqg9n4qXRzy1ioRAlj1AJ4hmAuLZ0P/b2xNoKTWc04O1O2RzwCfR68v
Bi6wtsEck5ec7Lh75ISOyd8=
=oq1U
-----END PGP SIGNATURE-----
--- End Message ---
