Debian Security Advisory

DSA-2056-1 zonecheck -- missing input sanitizing

Date Reported:
06 Jun 2010
Affected Packages:
zonecheck
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 583290.
In Mitre's CVE dictionary: CVE-2010-2052, CVE-2010-2155, CVE-2009-4882.
More information:

It was discovered that in ZoneCheck, a tool to check DNS configurations, the CGI does not perform sufficient sanitation of user input; an attacker can take advantage of this and pass script code in order to perform cross-site scripting attacks.

For the stable distribution (lenny), this problem has been fixed in version 2.0.4-13lenny1.

For the testing distribution (squeeze), this problem has been fixed in version 2.1.1-1.

For the unstable distribution (sid), this problem has been fixed in version 2.1.1-1.

We recommend that you upgrade your zonecheck packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4.orig.tar.gz
http://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4-13lenny1.dsc
http://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4-13lenny1.diff.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/z/zonecheck/zonecheck-cgi_2.0.4-13lenny1_all.deb
http://security.debian.org/pool/updates/main/z/zonecheck/zonecheck_2.0.4-13lenny1_all.deb

MD5 checksums of the listed files are available in the original advisory.