From http://www.openwall.com/lists/oss-security/2012/11/10/2 : Roundup upstream has released new upstream 1.4.20 version, correcting multiple cross-site scripting (XSS) flaws (and couple of other security related issues): [1] http://pypi.python.org/pypi/roundup [2] https://bugzilla.redhat.com/show_bug.cgi?id=722672 More from [1] (plus relevant tickets inlined too, where possible to find out): --------------------------------------------------------- [A] * issue2550729: Fix password history display for anydbm backend, thanks to Ralf Hemmecke for reporting. (Ralf) [3] http://issues.roundup-tracker.org/issue2550729 [B] * issue2550684 Fix XSS vulnerability when username contains HTML code, thanks to Thomas Arendsen Hein for reporting and patch. (Ralf) [4] http://issues.roundup-tracker.org/issue2550684 [C] * issue2550711 Fix XSS vulnerability in @action parameter, thanks to "om" for reporting. (Ralf) [5] http://issues.roundup-tracker.org/issue2550711 [D] * Fix wrong execute permissions on some files, thanks to Cheer Xiao for the patch. (Ralf) [E] * Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for reporting. (Ralf) [F] * Mark cookies HttpOnly and -- if https is used -- secure. Fixes issue2550689, but is untested if this really works in browsers. Thanks to Joseph Myers for reporting. (Ralf) [6] http://issues.roundup-tracker.org/issue2550689 [G] * Fix another XSS with the ok- and error message, see issue2550724. We solve this differently from the proposals in the bug-report by not allowing any html-tags in ok/error messages anymore. Thanks to David Benjamin for the bug-report and to Ezio Melotti for several proposed fixes. (Ralf) [7] http://issues.roundup-tracker.org/issue2550724
web-apps, is =www-apps/roundup-1.4.20 ready for stabilization?
Arches, please test and stabilize =www-apps/roundup-1.4.20, target arches: amd64 ppc sparc x86. Thanks!
amd64 stable
ppc stable
x86 stable
sparc stable
GLSA vote: no. Maintainers, please drop vulnerable versions.
GLSA vote: no Waiting for cleanup
Ping! Maintainer(s), please drop the vulnerable version.
Maintainers, this has not been cleaned up in 5 months. Please clean up or security will have to force clean in 30 days.
CVE-2012-6132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6132): Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter. CVE-2012-6131 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6131): Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1. CVE-2012-6130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6130): Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.
Cleanup appears to have been done, closing noglsa.
