CVE-2007-6306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6306): Multiple cross-site scripting (XSS) vulnerabilities in the image map feature in JFreeChart 1.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) chart name or (2) chart tool tip text; or the (3) href, (4) shape, or (5) coords attribute of a chart area.
See $URL for a patch. Java, please advise.
(In reply to comment #1) > See $URL for a patch. Java, please advise. > I think this is the issue that 1.0.8a fixes. I already added it a while ago.
I probably should "cvs up" more often, you are of course right. Question is now whether the (stable) 0.9* versions are also affected by this. If so, we should get a non-vulnerable version stable. If not, this bug is fixed already.
(In reply to comment #3) > > Question is now whether the (stable) 0.9* versions are also affected by this. > If so, we should get a non-vulnerable version stable. If not, this bug is fixed > already. > Well I am just waiting for a patch from upstream to request this version stable. currently the unit tests fail. https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1851416&group_id=15494
(In reply to comment #4) > > Well I am just waiting for a patch from upstream to request this version > stable. currently the unit tests fail. > Found out they had a 1.0 branch. Pulled the patch from there and asked arches to mark this stable in bug 201306.
This is ready for GLSA vote. I vote NO.
no too, closing
According to comments here, there were regressions introduced in the update: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456148#37 Petteri, what do you think?
(In reply to comment #8) > According to comments here, there were regressions introduced in the update: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456148#37 > > Petteri, what do you think? > Hopefully upstream will get 1.0.9 out soon and fixes the regressions.
(In reply to comment #9) > > Hopefully upstream will get 1.0.9 out soon and fixes the regressions. > 1.0.9 out, let's get it stable
ppc done
x86 stable
amd64 done.
Closing with NO GLSA as per previous vote.