Debian Security Advisory

DSA-265-1 bonsai -- several vulnerabilities

Date Reported:
21 Mar 2003
Affected Packages:
bonsai
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2003-0152, CVE-2003-0153, CVE-2003-0154, CVE-2003-0155.
More information:

RĂ©mi Perrot fixed several security related bugs in the bonsai, the Mozilla CVS query tool by web interface. Vulnerabilities include arbitrary code execution, cross-site scripting and access to configuration parameters. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0152 - Remote execution of arbitrary commands as www-data
  • CAN-2003-0153 - Absolute path disclosure
  • CAN-2003-0154 - Cross site scripting attacks
  • CAN-2003-0155 - Unauthenticated access to parameters page

For the stable distribution (woody) these problems have been fixed in version 1.3+cvs20020224-1woody1.

The old stable distribution (potato) is not affected since it doesn't contain bonsai.

For the unstable distribution (sid) these problems have been fixed in version 1.3+cvs20030317-1.

We recommend that you upgrade your bonsai package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1.dsc
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1.diff.gz
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/b/bonsai/bonsai_1.3+cvs20020224-1woody1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.