[SECURITY] [DLA 298-1] roundup security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : roundup
Version : 1.4.15-3+deb6u1
CVE ID : CVE-2012-6130 CVE-2012-6131 CVE-2012-6132 CVE-2012-6133
* CVE-2012-6130
Cross-site scripting (XSS) vulnerability in the history
display in Roundup before 1.4.20 allows remote attackers
to inject arbitrary web script or HTML via a username,
related to generating a link.
* CVE-2012-6131
Cross-site scripting (XSS) vulnerability in cgi/client.py
in Roundup before 1.4.20 allows remote attackers to inject
arbitrary web script or HTML via the @action parameter to
support/issue1.
* CVE-2012-6132
Cross-site scripting (XSS) vulnerability in Roundup before
1.4.20 allows remote attackers to inject arbitrary web
script or HTML via the otk parameter.
* CVE-2012-6133
XSS flaws in ok and error messages
We solve this differently from the proposals in the bug-report
by not allowing *any* html-tags in ok/error messages anymore.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQJ8BAEBCgBmBQJV2fDFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHrA0QAJgdSpC0oD3s7tkqGDXnZAc3
CGOF6ytnKXgxUGZyu0Fn8FNQlD5VmCYKKQDILNBRkjFHhizTYlT/8o6zF085VtKW
/a2R3CGVCEpYex/3jxpie+xla0mxo4uXRqnBMhiC9rpuEbvg5tAtA/dLjgTXae3/
Yjwr4nQNGz8dnJA9f8jQVrO4PvIHB9bdw7McYrv+kbfdC1Vw2CIreyoskhELrrup
XHv/gocUIdx52YgWOr7EQ/zNNva3Jj3wLcSY0XA59s4F07ilYuQZRfEE3ADw9GCH
0q/3kJz7exmG9bmTaNEiqG/qolqqfAnHhSfDnymZlwiVh1Pa+bx8z+eqxORCyIrS
TLW1tVRfNWT2vTrOGS82Qd9txCjfZYGpbVYQlUzcRWD3+WacW/s7S+8+JAQXzBMB
kUPjd049FR871g+ObDhCJZOJ/GvfzL05ySY3O1WaqWEJ5I2sqDQdwzCyJ7GTsGIJ
uAzAu/YeKBAOlItLmeCwa/gwesjnSdmSZCzat/rNyursCpWxkDWo6P9ItlExKQB8
3yCM2BmL3Ybs46FIRhzpuCUt0unyPcJGOC2VthqUgHTsxWQw1jJpXblUwvv3C5s5
WGKxWwcM9nR1cddFfhjSioVSudpncDDAyD0s5633pTPc6Gv235vZld8YH/vn9AuW
UPFKyErtPKBYztkKTOLD
=F9Oy
-----END PGP SIGNATURE-----
Reply to: