Bug#268016: marked as done ([CAN-2004-0746] Konqueror Cross-Domain Cookie Injection)
Your message dated Thu, 23 Sep 2004 22:12:17 -0500
with message-id <20040924031217.GA24134@cheney.cx>
and subject line closing bugs
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Aug 2004 14:57:21 +0000
>From joey@infodrom.org Wed Aug 25 07:57:21 2004
Return-path: <joey@infodrom.org>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BzzDF-0002Ab-00; Wed, 25 Aug 2004 07:57:21 -0700
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id C89FD366B81; Wed, 25 Aug 2004 16:57:18 +0200 (CEST)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <m1BzzA3-000okqC@finlandia.Infodrom.North.DE>
for submit@bugs.debian.org; Wed, 25 Aug 2004 16:54:03 +0200 (CEST)
Date: Wed, 25 Aug 2004 16:54:03 +0200
From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: [CAN-2004-0746] Konqueror Cross-Domain Cookie Injection
Message-ID: <20040825145403.GF6910@finlandia.infodrom.north.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040803i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.5 required=4.0 tests=BAYES_30,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: konqueror
Version: 3.2.3-1
Severity: grave
Tags: security upstream sarge
Web sites operating under the affected domains can set HTTP
cookies in such a way that the Konqueror web browser will send them
to all other web sites operating under the same domain.
A malicious website can use this as part of a session fixation
attack. See e.g. http://www.acros.si/papers/session_fixation.pdf
Affected are all country specific secondary top level domains that
use more than 2 characters in the secondary part of the domain name
and that use a secondary part other than com, net, mil, org, gov,
edu or int. Examples of affected domains are .ltd.uk, .plc.uk and
.firm.in
KDE versions up to KDE 3.2.3 inclusive. KDE 3.3 is not affected.
There is 3.2.3-1 in sid for some architectures, but they will probably
replaced soon by 3.3.0-1 which is said to be not vulnerable.
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 268016-done) by bugs.debian.org; 24 Sep 2004 03:12:29 +0000
>From ccheney@cheney.cx Thu Sep 23 20:12:21 2004
Return-path: <ccheney@cheney.cx>
Received: from spameater02-04.dimenocmail.com [66.195.127.26]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CAgVR-00026F-00; Thu, 23 Sep 2004 20:12:21 -0700
Received: (qmail 63689 invoked by uid 1011); 24 Sep 2004 07:14:22 -0000
Received: from ccheney@cheney.cx by spameater02-04.dimenocmail.com by uid 1008 with qmail-scanner-1.22-st-qms
(spamassassin: 2.64. Clear:RC:1(66.194.152.191):SA:0(-4.9/3.0):.
Processed in 0.162676 secs); 24 Sep 2004 07:14:22 -0000
X-Antivirus-MYDOMAIN-Mail-From: ccheney@cheney.cx via spameater02-04.dimenocmail.com
X-Antivirus-MYDOMAIN: 1.22-st-qms (Clear:RC:1(66.194.152.191):SA:0(-4.9/3.0):. Processed in 0.162676 secs Process 63682)
Received: from pico.surpasshosting.com (66.194.152.191)
by spameater02-04.dimenocmail.com with SMTP; 24 Sep 2004 07:14:22 -0000
Received: from cdm-208-180-235-136.cnro.cox-internet.com ([208.180.235.136] helo=localhost.localdomain)
by pico.surpasshosting.com with esmtp (TLSv1:RC4-SHA:128)
(Exim 4.34)
id 1CAgVP-00046t-FU; Thu, 23 Sep 2004 23:12:19 -0400
Received: from ccheney by localhost.localdomain with local (Exim 4.34)
id 1CAgVN-0007mA-8H; Thu, 23 Sep 2004 22:12:17 -0500
Date: Thu, 23 Sep 2004 22:12:17 -0500
From: Chris Cheney <ccheney@cheney.cx>
To: 268016-done@bugs.debian.org, 266504-done@bugs.debian.org
Subject: closing bugs
Message-ID: <20040924031217.GA24134@cheney.cx>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Hch1Uz/zGPcHFdv8"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040818i
Sender: Christopher L Cheney <ccheney@cheney.cx>
Delivered-To: 268016-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_01 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 2
--Hch1Uz/zGPcHFdv8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
My new upload has included the fixes from the NMU so I am officially
closing the bugs now.
Thanks,
Chris Cheney
--Hch1Uz/zGPcHFdv8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBU5CR0QZas444SvIRAsDvAJ4ieHNeYdNWCGAx0l+WyPtkvn7qggCdEBsv
2xqUJpi/eCZNsk67ulqMAOM=
=+kW+
-----END PGP SIGNATURE-----
--Hch1Uz/zGPcHFdv8--
Reply to: