A vulnerability has been reported in Namazu, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed in certain character encodings (e.g. UTF-7) to namazu.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions prior to 2.0.18. ORIGINAL ADVISORY: JVN: http://jvn.jp/jp/JVN%2300892830/index.html Namazu: http://www.namazu.org/security.html.eniubvg
CVE name was requested.
namazu-2.0.18-1.fc7 has been submitted as an update for Fedora 7
namazu-2.0.18-1.fc8 has been submitted as an update for Fedora 8
CVE-2008-1468
namazu-2.0.18-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
namazu-2.0.18-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Update won't work because of missing dependencies: Error: Missing Dependency: perl(time.pl) is needed by package namazu Error: Missing Dependency: perl(util.pl) is needed by package namazu Error: Missing Dependency: perl(document.pl) is needed by package namazu Error: Missing Dependency: perl(nmzidx.pl) is needed by package namazu Error: Missing Dependency: perl(var.pl) is needed by package namazu Error: Missing Dependency: perl(conf.pl) is needed by package namazu and likewise for namazu.cgi This is in Fedora 8.
See section on filtering unwanted requires on details how to fix this. http://fedoraproject.org/wiki/Packaging/Perl
Actually no. this was caused by following that. rpmbuild for F-8 seems not looking into __perl_requires, but __find_requires. I have to revert that change anyway.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2678 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2767