Seth Arnold (seth.arnold) reports: Hello Kurt, Steve, all, I am requesting a 2012 CVE for an incomplete security fix in smokeping, fixed in version 2.6.9. CVE-2012-0790 was assigned to smokeping for XSS flaws. The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The filtering used this blacklist: $mode =~ s/[<>&%]/./g; The version in 2.6.9 uses the following blacklist: my $xssBadRx = qr/[<>%&'";]/; (', ", and ; have been added. When it is used, blacklist chars are now turned to _ rather than . ) The 2.6.9 version prevents escaping <html attribute="..."> via " characters. The incomplete fix is in 2.6.7 and 2.6.8. This flaw was discovered by Florian Weimer [1] in 2012 and brought to our attention [2] in 2013. The upstream CHANGES [3] file includes, in part: -------------------------------------------------- 2013/03/04 - released version 2.6.9 * be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi) -------------------------------------------------- I have not found an up-to-date online browsable source. Thanks 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3: http://oss.oetiker.ch/smokeping/pub/CHANGES
Created smokeping tracking bugs for this issue: Affects: fedora-all [bug 986522]
smokeping-2.6.9-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
smokeping-2.6.9-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.