Bug 144127
Summary: | CAN-2005-0085 XSS vulnerability in htdig 3.2.0b6 on FC3 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dave Miller <justdave> |
Component: | htdig | Assignee: | Phil Knirsch <pknirsch> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | bressers, gerv, rvokal, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | impact=moderate,public=20050203 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-04-19 15:22:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dave Miller
2005-01-04 18:46:28 UTC
The actual package revision (left that out on the initial report -- apologies) is: htdig-web-3.2.0b6-3 I've also reproduced this on a Fedora Core 1 box with: htdig-web-3.2.0-19.20030601 This issue should also affect FC2. Hi Dave; this bug is currently marked as embargoed. We'd like to share the details with other vendor security teams that may ship htdig. Have you contacted anyone else about this issue? Mark: Dave didn't actually discover the issue - mikx did. He recently made about 44 XSS vulnerabilities (including one in Bugzilla) public at the same time; I don't know if this was among them, or whether it was a later discovery. Gerv Thanks Gervase; we've spoken to Michael yesterday and he has not yet disclosed this particular issue, believing it due to site configuration. We've confirmed that it isn't a template flaw and have started talking to other vendor security teams to co-ordinate a fix. Removing embargo - This issue was leaked public early by SUSE. apologies for not replying sooner, I'm not getting bugmail from Bugzilla for some reason. I didn't report it anywhere upstream because I didn't have any non-redhat machines to test it on to verify it wasn't just a redhat issue. Looks like you've already figured out that wasn't the case though. Packages have been built, waiting for signing and push. Read ya, Phil Packages signed and pushed, annoucenment email sent. Closing bug. Read ya, Phil |