Gentoo Bug 212731 - net-analyzer/sarg <2.2.5 User-Agent XSS issue (CVE-2008-1168)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	212731
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 212731 depends on:			Show dependency tree
Bug 212731 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-08 17:22 0000

CVE-2008-1168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1168):
  Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator
  (Sarg) 2.2.3.1 allows remote attackers to inject arbitrary web script or HTML
  via the User-Agent header, which is not properly handled when displaying the
  Squid proxy log.  NOTE: the provenance of this information is unknown; the
  details are obtained solely from third party information.

------- Comment #1 From Robert Buchholz 2008-03-08 17:24:48 0000 -------

pva, sorry but we need to bump again.

------- Comment #2 From Peter Volkov 2008-03-08 19:52:38 0000 -------

Heh, this was not announced in sarg mailing list. Thank you Robert.
sarg-2.2.5.ebuild is in the tree.

------- Comment #3 From Robert Buchholz 2008-03-09 01:40:05 0000 -------

Arches, please test and mark stable:
=net-analyzer/sarg-2.2.5
Target keywords : "amd64 ppc release x86"

------- Comment #4 From Tobias Scherbaum 2008-03-09 06:57:16 0000 -------

ppc stable

------- Comment #5 From Markus Meier 2008-03-09 12:43:42 0000 -------

x86 stable

------- Comment #6 From Peter Weller 2008-03-10 07:59:44 0000 -------

amd64 stable

------- Comment #7 From Peter Volkov 2008-03-10 09:12:36 0000 -------

Fixed in release snapshot.

------- Comment #8 From Pierre-Yves Rofes 2008-03-10 20:50:30 0000 -------

glsa request already filed with bug #212208

------- Comment #9 From Raphael Marichez 2008-03-12 19:50:38 0000 -------

GLSA  200803-21 with bug 212208, thanks to everybody

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 212731

net-analyzer/sarg <2.2.5 User-Agent XSS issue (CVE-2008-1168)

Last modified: 2008-03-12 19:50:38 0000