Bug 152907
Summary: | CAN-2005-0085 htdig cross-site scripting vulnerability | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Marc Deslauriers <marc.deslauriers> |
Component: | htdig | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bugzilla.redhat, jimpop, pekkas |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0085 | ||
Whiteboard: | 1, 2, LEGACY, rh73, rh90 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-01-10 01:18:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Lawrence
2005-03-30 23:31:41 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: Changelog: * Sun Jun 12 2005 Marc Deslauriers <marcdeslauriers> 3.2.0-2.011302.1.legacy - - Added patch for CAN-2005-0085 rh73: 50a1bf96023c78bd3370356e54d3bb54ae6cac9c htdig-3.2.0-2.011302.1.legacy.i386.rpm b3f4f92f03fca35ce98f4d041d7397e1220cdac0 htdig-3.2.0-2.011302.1.legacy.src.rpm 543b8ac72415ebb6322393fb6f2edae3b62f34e4 htdig-web-3.2.0-2.011302.1.legacy.i386.rpm 7.3 Source: http://www.infostrategique.com/linuxrpms/legacy/7.3/htdig-3.2.0-2.011302.1.legacy.src.rpm 7.3 Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ rh9: 270dd2e790d87833f294f591545969cbb73c6286 htdig-3.2.0-16.20021103.1.legacy.i386.rpm 65dd05c588784832e93b4e07ffd5664496dce400 htdig-3.2.0-16.20021103.1.legacy.src.rpm 128cf1059bebca1941bcc15bcfe1f2c108627054 htdig-web-3.2.0-16.20021103.1.legacy.i386.rpm 9 Source: http://www.infostrategique.com/linuxrpms/legacy/9/htdig-3.2.0-16.20021103.1.legacy.src.rpm 9 Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/ fc1: a0dbfa55dcf8b1a6a9976fdee01b5a6758dac8fd htdig-3.2.0-19.20030601.1.legacy.i386.rpm 3b7a3dbf552121f5b58333181934d8935980b108 htdig-3.2.0-19.20030601.1.legacy.src.rpm 87752190150283fe4e6b9074f24b57ebe42e04f3 htdig-web-3.2.0-19.20030601.1.legacy.i386.rpm fc1 Source: http://www.infostrategique.com/linuxrpms/legacy/1/htdig-3.2.0-19.20030601.1.legacy.src.rpm fc1 Binaries: http://www.infostrategique.com/linuxrpms/legacy/1/ fc2: 504bc3685655521501c7d4b84f69698c5fa26c78 htdig-3.2.0b5-7.1.legacy.i386.rpm 08f0678f829ce66396341644a64aee13d2aed6ac htdig-3.2.0b5-7.1.legacy.src.rpm fb0fd606e2b1e80cb9e3d4a41b3e85a950475f40 htdig-web-3.2.0b5-7.1.legacy.i386.rpm fc2 Source: http://www.infostrategique.com/linuxrpms/legacy/2/htdig-3.2.0b5-7.1.legacy.src.rpm fc2 Binaries: http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCrJmdLMAs/0C4zNoRAqYoAJsEmUaj2X62Po9Yp2eBIxZIQg2XmACeL+RT iyFKKHdpypNJjWRMyFVkae4= =Bluu -----END PGP SIGNATURE----- For some reason, RHL73 and RHL9 patches don't include this segment, though it exists in the code: > --- htdig-3.2.0b6/htsearch/qtest.cc.unescaped_output 2005-01-25 12:51:00.000000000 +0100 > +++ htdig-3.2.0b6/htsearch/qtest.cc 2005-01-25 12:51:19.000000000 +0100 > @@ -132,8 +132,7 @@ > > if (access((char*)configFile, R_OK) < 0) > { > - reportError(form("Unable to find configuration file '%s'", > - configFile.get())); > + reportError("Unable to find configuration file"); > } > > config->Read(configFile); Otherwise the packages looked good, and I could give them a publish.. but unless the above is intentional, could you redo RHL73 and RHL9? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for rh73 and rh9 to QA: Changelog: * Sun Nov 20 2005 Marc Deslauriers <marcdeslauriers> 3.2.0-16.20021103.2.legacy - - Added missing section back into CAN-2005-0085 patch * Sun Jun 12 2005 Marc Deslauriers <marcdeslauriers> 3.2.0-16.20021103.1.legacy - - Added patch for CAN-2005-0085 rh73: d6eafe4aaa8ea48811b986642e148269d81b3967 htdig-3.2.0-2.011302.2.legacy.i386.rpm 0c55c7d2f598045758a567ffafb6a64e8716ed3f htdig-3.2.0-2.011302.2.legacy.src.rpm 6a6433c8dce0e0960a8d7bfcbb29cc9ec811ffbf htdig-web-3.2.0-2.011302.2.legacy.i386.rpm 7.3 Source: http://www.infostrategique.com/linuxrpms/legacy/7.3/htdig-3.2.0-2.011302.2.legacy.src.rpm 7.3 Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ rh9: 038e0d96baa67caf32b257fdf2c9edac98e9c024 htdig-3.2.0-16.20021103.2.legacy.i386.rpm c1587680614b2249e5b29f5994edd378edd85904 htdig-3.2.0-16.20021103.2.legacy.src.rpm e20a110a211a2489bee3738d61851f980cbdecc8 htdig-web-3.2.0-16.20021103.2.legacy.i386.rpm 9 Source: http://www.infostrategique.com/linuxrpms/legacy/9/htdig-3.2.0-16.20021103.2.legacy.src.rpm 9 Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDgbhRLMAs/0C4zNoRAnKhAJoDt2lxvRNmIJ0HTLCHL4aKiI0fYgCdGid9 IdS4UQUNDWRe09XGhSuwm80= =2C7O -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patch corresponds to RHEL +PUBLISH RHL73, RHL9, FC1, FC2 0c55c7d2f598045758a567ffafb6a64e8716ed3f htdig-3.2.0-2.011302.2.legacy.src.rpm c1587680614b2249e5b29f5994edd378edd85904 htdig-3.2.0-16.20021103.2.legacy.src.rpm 3b7a3dbf552121f5b58333181934d8935980b108 htdig-3.2.0-19.20030601.1.legacy.src.rpm 08f0678f829ce66396341644a64aee13d2aed6ac htdig-3.2.0b5-7.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDgcO6GHbTkzxSL7QRAsIGAJ9H7V25wBuBtEHTjWq/uiYq9SRH2wCg0+qu L3nmERn5lXHoordpmC8+Hkk= =aSPB -----END PGP SIGNATURE----- packages were pushed to updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH73 Works as desired. Tested for vulnerability and could not reproduce. 9f2c2108c62a38698946a3d054a02318115575db htdig-3.2.0-2.011302.3.legacy.i386.rpm NOTE: I don't see a reference to this rpm in the other comments, I'm not 100% sure of it's source. Can someone confirm this sha1sum and identify the source of the build. Tia. - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDk6jCCgSTzgd8+fwRAutyAJ41gk9PfVn2SpG7Z+tLZL5pnrDiYQCgjl7U thYYQQLnLwzszMMkKl3BE58= =nlly -----END PGP SIGNATURE----- The rpms have been rebuilt, so earlier checksums are no longer valid. It's enough at this poin to verify the GPG signature on the file. Thanks for the verify, timeouts in 4 weeks. Timeout over. Packages were released to updates. |