[SECURITY] [DLA 2597-1] velocity-tools security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2597-1] velocity-tools security update
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 17 Mar 2021 12:30:06 -0400 (EDT)
Message-id: <[🔎] 161599857005.2969408.8715583439439053531@tinycat.chris-lamb.co.uk>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2597-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
March 17, 2021                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : velocity-tools
Version        : 2.0-6+deb9u1
CVE ID         : CVE-2020-13959
Debian Bug     : #985221

It was discovered that there was a cross-site scripting (XSS)
vulnerability in velocity-tools, a collection of useful tools for the
"Velocity" template engine.

The default error page could be exploited to steal session cookies,
perform requests in the name of the victim, used for phishing attacks
and many other similar attacks.

For Debian 9 "Stretch", this problem has been fixed in version
2.0-6+deb9u1.

We recommend that you upgrade your velocity-tools packages.

For the detailed security status of velocity-tools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/velocity-tools

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmBSLmcACgkQHpU+J9Qx
Hlh5Jg//dgNUCvH3xd8rRp+WRO6wbydKLSwi59x01l3jgS5mOnypXi/urXUBYYSn
WM1saZt4dkG8yXAMcRa5WHKbWZ2A8Xg1fHrqAHoF+dU8WsJkaNAkWjpNEmEjhzjc
R1rrdN3UkUjK4A8FspTWKBdC/YeQLmVapBALxAZGKCyxmruzXhoYsyi8vk0ZJWRY
5xu2A+UjpcfMkWj1lDNGY37azFBv5r2wxSsIhPScKvYUCVN55sb4jvZ/SBYaKin5
kCOVGjV2wloqi0gOr+Eq/qfj6QW1d/v8nPa+RGPacmwj/RbuzMl2VSNkmYweAxob
qK4+OMMipFa3/OGBpe270SytY1FadiNiJEPgEXe76m7L2ufJLvsactSNX1Fqn/7Z
E0kpwhIk4gpexYhQQ2x9EEiTF4VpIzDOb8Osztfrbqoq7DjCQAiDfG9PrqcGpQQP
1In2YfGVkSvoYoNqqirPpOnX3DLd2Er5aBjyVDG1Q0RdfDkCwM9TnbxqUSMmw3lA
FyFW/MyHVQKrFq+FM+tnYTjRLqDgyyniyhXEIC69XVRPK8qGuvny4uh9ARe/NW3P
BoR3DwyB75VN13W3n2au+MMBvV87N8hkHfjPcRYS7m1xlRzS+KTW0Hzs48t+Y4Uc
J4Zd5kZUUAntM1+19NmqBa0CbhlyBRHhDqdrTjjJwYwpR9m0y08=
=KVwn
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2596-1] shadow security update
Next by Date: [SECURITY] [DLA 2598-1] squid3 security update
Previous by thread: [SECURITY] [DLA 2596-1] shadow security update
Next by thread: [SECURITY] [DLA 2598-1] squid3 security update
Index(es):
- Date
- Thread