[SECURITY] [DLA 1241-1] libkohana2-php security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1241-1] libkohana2-php security update
From: Markus Koschany <apo@debian.org>
Date: Sun, 14 Jan 2018 17:52:54 +0100
Message-id: <[🔎] 841806f1-75db-f187-c64d-c9bcda0ba45a@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libkohana2-php
Version        : 2.3.4-2+deb7u1
CVE ID         : CVE-2016-10510

David Sopas discovered that Kohana, a PHP framework, was vulnerable to
a Cross-site scripting (XSS) attack that allowed remote attackers to
inject arbitrary web script or HTML by bypassing the strip_image_tags
protection mechanism in system/classes/Kohana/Security.php. This issue
was resolved by permanently removing the strip_image_tags function.
Users are advised to sanitize user input by using external libraries
instead.

For Debian 7 "Wheezy", these problems have been fixed in version
2.3.4-2+deb7u1.

We recommend that you upgrade your libkohana2-php packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpbiuZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS2WA/+OO7RLx/pZ27KXR4iHYZpvVQeZZopdiqdJVOQxHkVDt+T/EbYD4+EkGwZ
lPiHTlhR+nysmfkGQ7uhdp3HRIhSnogDJplVbV8ilonjidGIpf/VUNxyo6hFq3BV
3RU06NDbh4pOs5454051z0PVUWoAe+ROjOOlR9+b0AhPDhjTKHoEEYKkt5I/XLYS
JJ/dsBHqLN/YZO6vAFR8rMjrjvhFay8zPXgY+QDr21k46fJCOSgoyksmjn7+xekk
L0my0jGZuHs1QJUbEgEXNJDXAeE4ejfYNk4tOE7hnD7iIAuey5uy7dJQtdxJnhHR
zcSDspWC9Mhw0Oo5vCaF3i9TTpm8Y0BAAgNiQ/ocQQqhu2VUBfLijfaNaiYeu8hi
O6u+GBN2EkpJaH0WQBhQQ84OkMxj8dtNt8CNgwcVj3KdJhkVhXNoSSIcdOk0s3ef
RLsmMzndLMV82U74xoB2WAEJTmtufX1XiqJAttURClQc4CP71Pbn7NLnhr0gXI8O
jYQSzXZJlP4+b2Zyc/Z7UORQzxkNz8NBP0H8AHF5ieRS9ohbEPI1aoH9v5Kf0BvY
Dg+gizFNDv5ULEdqcc/mUoJBWNGe0AdemL8LE/5rA8dgz9Ij8on4Gz9Na7kx6kqu
F0DBYG+v1jA0FNXelEnAiNkUUdZ4Zr2HvWVM5KYwFb/yNNY1yS8=
=KI77
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1240-1] ming security update
Next by Date: [SECURITY] [DLA 1242-1] xmltooling security update
Previous by thread: [SECURITY] [DLA 1240-1] ming security update
Next by thread: [SECURITY] [DLA 1242-1] xmltooling security update
Index(es):
- Date
- Thread