Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-298-1 roundup

Debian Security Advisory

DLA-298-1 roundup -- LTS security update

Date Reported:

23 Aug 2015

Affected Packages:

roundup

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-6130, CVE-2012-6131, CVE-2012-6132, CVE-2012-6133.

More information:

• CVE-2012-6130

  Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.

• CVE-2012-6131

  Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

• CVE-2012-6132

  Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.

• CVE-2012-6133

  XSS flaws in ok and error messages We solve this differently from the proposals in the bug-report by not allowing *any* html-tags in ok/error messages anymore.