Bug 212731 (CVE-2008-1168)

Summary:	net-analyzer/sarg <2.2.5 User-Agent XSS issue (CVE-2008-1168)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	netmon, pva
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-03-08 17:22:40 UTC

CVE-2008-1168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1168):
  Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator
  (Sarg) 2.2.3.1 allows remote attackers to inject arbitrary web script or HTML
  via the User-Agent header, which is not properly handled when displaying the
  Squid proxy log.  NOTE: the provenance of this information is unknown; the
  details are obtained solely from third party information.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-03-08 17:24:48 UTC

pva, sorry but we need to bump again.

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2008-03-08 19:52:38 UTC

Heh, this was not announced in sarg mailing list. Thank you Robert. sarg-2.2.5.ebuild is in the tree.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-03-09 01:40:05 UTC

Arches, please test and mark stable:
=net-analyzer/sarg-2.2.5
Target keywords : "amd64 ppc release x86"

Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev

2008-03-09 06:57:16 UTC

ppc stable

Comment 5 Markus Meier gentoo-dev

2008-03-09 12:43:42 UTC

x86 stable

Comment 6 Peter Weller (RETIRED) gentoo-dev

2008-03-10 07:59:44 UTC

amd64 stable

Comment 7 Peter Volkov (RETIRED) gentoo-dev

2008-03-10 09:12:36 UTC

Fixed in release snapshot.

Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-10 20:50:30 UTC

glsa request already filed with bug #212208

Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2008-03-12 19:50:38 UTC

GLSA  200803-21 with bug 212208, thanks to everybody