[SECURITY] [DLA 68-1] fex security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package : fex
Version : 20100208+debian1-1+squeeze4
CVE ID : CVE-2014-3875 CVE-2014-3876 CVE-2014-3877
[CVE-2014-3875]
When inserting encoded newline characters into a request to rup,
additional HTTP headers can be injected into the reply, as well
as new HTML code on the top of the website.
[CVE-2014-3876]
The parameter akey is reflected unfiltered as part of the HTML
page. Some characters are forbidden in the GET parameter due
to filtering of the URL, but this can be circumvented by using
a POST parameter.
Nevertheless, this issue is exploitable via the GET parameter
alone, with some user interaction.
[CVE-2014-3877]
The parameter addto is reflected only slightly filtered back to
the user as part of the HTML page. Some characters are forbidden
in the GET parameter due to filtering of the URL, but this can
be circumvented by using a POST parameter. Nevertheless, this
issue is exploitable via the GET parameter alone, with some user
interaction.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFUKxOD02K2KlS5mJARAmcaAKCBba4E/gYREmKULQ2nY3cpkjsNaACcCXPF
pRXZ5OpeKBdRTIutUzdJknM=
=Rub4
-----END PGP SIGNATURE-----
Reply to: