Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wed, Feb 09, 2011 at 09:32:48PM +0000, Steve Kemp wrote:
> Package : cgiirc
> Vulnerability : cross-site scripting
> Problem type : local
> Debian-specific: no
> CVE ID : CVE-2011-0050
>
> Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
> cgiirc, a web based IRC client, which could lead to the execution
> of arbitrary javascript.
>
> For the old-stable distribution (lenny), this problem has been fixed in
> version 0.5.9-3lenny1.
>
> For the stable distribution (squeeze), and unstable distribution (sid),
> this problem will be fixed shortly.
No sign of this yet on security.debian.org for lenny, but
http://packages.qa.debian.org/c/cgiirc.html
says that 0.5.9-3lenny1 is in stable-sec (which is of course squeeze-sec
now), so it looks like this package went to the wrong distribution
(although as both lenny and squeeze had 0.5.9-3 previously this may
not be a disaster).
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: