oss-sec mailing list archives

CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Sat, 10 Nov 2012 06:42:01 -0500 (EST)

Hello Kurt, Steve, vendors,

  Roundup upstream has released new upstream 1.4.20 version,
correcting multiple cross-site scripting (XSS) flaws (and
couple of other security related issues):
[1] http://pypi.python.org/pypi/roundup
[2] https://bugzilla.redhat.com/show_bug.cgi?id=722672

More from [1] (plus relevant tickets inlined too, where
possible to find out):
---------------------------------------------------------
[A] * issue2550729: Fix password history display for anydbm backend,
thanks to Ralf Hemmecke for reporting. (Ralf)
[3] http://issues.roundup-tracker.org/issue2550729

[B] * issue2550684 Fix XSS vulnerability when username contains HTML code,
thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)
[4] http://issues.roundup-tracker.org/issue2550684

[C] * issue2550711 Fix XSS vulnerability in @action parameter,
thanks to "om" for reporting. (Ralf)
[5] http://issues.roundup-tracker.org/issue2550711

[D] * Fix wrong execute permissions on some files,
thanks to Cheer Xiao for the patch. (Ralf)

[E] * Fix another XSS with the "otk" parameter,
thanks to Jesse Ruderman for reporting. (Ralf)

[F] * Mark cookies HttpOnly and -- if https is used -- secure. Fixes issue2550689,
but is untested if this really works in browsers. Thanks to Joseph Myers for reporting. (Ralf)
[6] http://issues.roundup-tracker.org/issue2550689

[G] * Fix another XSS with the ok- and error message, see issue2550724. We solve this differently
from the proposals in the bug-report by not allowing any html-tags in ok/error messages
anymore. Thanks to David Benjamin for the bug-report and to Ezio Melotti for several proposed fixes. (Ralf)
[7] http://issues.roundup-tracker.org/issue2550724

Cc-ed Ralf Schlatterbeck on this post too to clarify, if issues [A] and [D]
would also have security implications / IOW if those would be security flaws too.
Ralf please clarify. Thank you, Jan.

Could you allocate CVE ids for these (once clarified)?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version Jan Lieskovsky (Nov 10)
- Re: CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version Jan Lieskovsky (Nov 10)
  - Re: CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version Ralf Schlatterbeck (Nov 10)
    - Re: Re: CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version Kurt Seifried (Nov 14)
    - Re: Re: CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version Ralf Schlatterbeck (Nov 15)