Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626622 (CVE-2017-11737) - <mail-filter/rspamd-1.6.3: XSS via the Subject and Message-Id headers (CVE-2017-11737)
Summary: <mail-filter/rspamd-1.6.3: XSS via the Subject and Message-Id headers (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2017-11737
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-30 15:28 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-08-07 21:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-07-30 15:28:12 UTC 
CVE-2017-11737 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11737):

interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page. 

https://github.com/vstakhov/rspamd/issues/1738
https://github.com/vstakhov/rspamd/releases/tag/1.6.3
https://github.com/vstakhov/rspamd/commit/dca6ede4d650e98240f8438b50484955afbedc3e
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-07-30 18:53:57 UTC 
1.6.3 is now in the tree, and there are no stable ebuilds for this package.
Comment 2 Aleksandr Wagner (Kivak) 2017-07-31 18:46:36 UTC 
Maintainers please drop all vulnerable versions in the tree.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-08-06 19:59:59 UTC 
(In reply to Dirkjan Ochtman from comment #1)
> 1.6.3 is now in the tree, and there are no stable ebuilds for this package.

The vulnerable packages must still be removed.  If there is a reason you cannot then please let us know for tracking.
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-08-07 18:03:43 UTC 
Did that yesterday, forgot to mention it here.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-07 21:16:01 UTC 
Cleaned up via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c30fed80cf5fe7b05435a994a5eef30f02c68f26

Repository is now clean, all done.