Security Information / 2006 / Security Information -- DSA-1094-1 gforge

Debian Security Advisory

DSA-1094-1 gforge -- missing input sanitising

Date Reported:

08 Jun 2006

Affected Packages:

gforge

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 328224.
In Mitre's CVE dictionary: CVE-2005-2430.

More information:

Joxean Koret discovered several cross-site scripting vulnerabilities in Gforge, an online collaboration suite for software development, which allow injection of web script code.

The old stable distribution (woody) does not contain gforge packages.

For the stable distribution (sarge) this problem has been fixed in version 3.1-31sarge1.

For the unstable distribution (sid) this problem has been fixed in version 3.1-31sarge1.

We recommend that you upgrade your gforge package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:

http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge1.dsc

http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge1.diff.gz

http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge1_all.deb

http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge1_all.deb

MD5 checksums of the listed files are available in the original advisory.