Re: [SECURITY] [DSA-2158-1] cgiirc security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA-2158-1] cgiirc security update
From: Dominic Hargreaves <dom@earth.li>
Date: Thu, 10 Feb 2011 12:17:00 +0000
Message-id: <[🔎] 20110210121700.GZ4803@urchin.earth.li>
In-reply-to: <20110209213248.GA11819@steve.org.uk>
References: <20110209213248.GA11819@steve.org.uk>

On Wed, Feb 09, 2011 at 09:32:48PM +0000, Steve Kemp wrote:
> Package        : cgiirc
> Vulnerability  : cross-site scripting
> Problem type   : local
> Debian-specific: no
> CVE ID         : CVE-2011-0050
> 
> Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
> cgiirc, a web based IRC client, which could lead to the execution
> of arbitrary javascript.
> 
> For the old-stable distribution (lenny), this problem has been fixed in
> version 0.5.9-3lenny1.
>
> For the stable distribution (squeeze), and unstable distribution (sid),
> this problem will be fixed shortly.

No sign of this yet on security.debian.org for lenny, but 

http://packages.qa.debian.org/c/cgiirc.html

says that 0.5.9-3lenny1 is in stable-sec (which is of course squeeze-sec
now), so it looks like this package went to the wrong distribution
(although as both lenny and squeeze had 0.5.9-3 previously this may
not be a disaster).

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Prev by Date: Re: status of introducing security mechanisms in Debian
Next by Date: Re: [SECURITY] [DSA-2158-1] cgiirc security update
Previous by thread: Re: [denis.feklushkin@gmail.com: Re: [SECURITY] [DSA-2157-1] PostgreSQL security update]
Next by thread: Re: [SECURITY] [DSA-2158-1] cgiirc security update
Index(es):
- Date
- Thread