CVE-2007-6110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6110): Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows remote attackers to inject arbitrary web script or HTML via the sort parameter.
Web-apps, please advise.
Hrm, looks like no upstream activity since 2004. The bug has been reported by SuSE but what I assume is their latest package (htdig-3.2.0b6-123) does not seem to provide a fix for the issue. The application is currently marked stable on these architectures: alpha amd64 hppa ia64 ppc ppc64 sparc x86 We'll probably have to mask it if there is no way to get a fix for this.
Created attachment 137588 [details, diff] htdig-quoting.patch
Suse provides an updated package in their 10.2 testing repository, I attached the patch above. It actually removes the output rather than quoting it, but in the end, that error message would not come from links inside the application anyway.
Sorry, I obviously didn't know where I had to check. Thanks for the hint. No I found it too and applied the patch. htdig-3.2.0_beta6-r3 is in the tree and needs to be marked stable by alpha amd64 hppa ia64 ppc ppc64 sparc x86
added arches
x86 stable
alpha/ia64/sparc stable and beandog did amd64
Stable for HPPA.
ppc64 stable
ppc stable, ready for glsa voting
non-persistent xss, voting NO.
Removed insecure ebuild. weapps done here.
no too, closing.
Does not affect current (2008.0) release. Removing release.