Debian Security Advisory

DSA-265-1 bonsai -- several vulnerabilities

Date Reported:
21 Mar 2003
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2003-0152, CVE-2003-0153, CVE-2003-0154, CVE-2003-0155.
More information:

RĂ©mi Perrot fixed several security related bugs in the bonsai, the Mozilla CVS query tool by web interface. Vulnerabilities include arbitrary code execution, cross-site scripting and access to configuration parameters. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0152 - Remote execution of arbitrary commands as www-data
  • CAN-2003-0153 - Absolute path disclosure
  • CAN-2003-0154 - Cross site scripting attacks
  • CAN-2003-0155 - Unauthenticated access to parameters page

For the stable distribution (woody) these problems have been fixed in version 1.3+cvs20020224-1woody1.

The old stable distribution (potato) is not affected since it doesn't contain bonsai.

For the unstable distribution (sid) these problems have been fixed in version 1.3+cvs20030317-1.

We recommend that you upgrade your bonsai package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.