CVE-2011-5081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5081): Cross-site scripting (XSS) vulnerability in RestoreFile.pm in BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows remote attackers to inject arbitrary web script or HTML via the share parameter in a RestoreFile action to index.cgi. CVE-2011-4923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4923): Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0, 3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the num parameter in a view action to index.cgi, related to the log file viewer, a different vulnerability than CVE-2011-3361.
An update (3.3.0) is available that fixes the XSS vulnerabilities. 02-fix-config.pl-formatting.patch does not run properly on the updated package however. A new patch and ebuild should be created.
+ 18 Sep 2014; Tony Vroon <chainsaw@gentoo.org> -backuppc-2.1.2-r1.ebuild, + -backuppc-3.2.1-r2.ebuild, -backuppc-3.2.1-r3.ebuild: + Remove vulnerable ebuilds for security bug #405685.
No glsa for XSS.
