Michael Brooks (Sitewatch) discovered an XSS issue in the nonjs interface that allowed HTML injection via a crafted parameter. 0.5.10 is now available. This is actually just 0.5.9 with the following fix: - CVE-2011-0050: XSS in R param in nonjs interface Debian security announcement: http://packetstormsecurity.org/files/view/98370/dsa-2158-1.txt
CVE-2011-0050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0050): Cross-site scripting (XSS) vulnerability in the nonjs interface (interfaces/nonjs.pm) in CGI:IRC before 0.5.10 allows remote attackers to inject arbitrary web script or HTML via the R parameter.
could someone please make this depend on bug #417377 ?
*** Bug 417377 has been marked as a duplicate of this bug. ***
Created attachment 322902 [details] cgiirc-0.5.10.ebuild Ok, as bug #417377 has been closed, I will post my new ebuild here. Essentially I just renamed the 0.5.9 ebuild to 0.5.10 and modified HOMEPAGE and SRC_URI, because it seems that the project has moved off sourceforge.net to some private hosting. Once it's on the gentoo mirrors, someone please modify the SRC_URI again. Made manifest, installed and everything works well ;)
Maintainer very much timed out. Bumped. Closing noglsa. +*cgiirc-0.5.10 (03 Sep 2013) + + 03 Sep 2013; Chris Reffett <creffett@gentoo.org> +cgiirc-0.5.10.ebuild, + -cgiirc-0.5.9.ebuild: + Security bump wrt bug 354345 +