CVE-2009-1175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1175): Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in the DAAP extension in Banshee 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the server parameter, which is not properly handled in an error message.
Our stable 0.12.1 ships similar files to the 1.4.2 in question with relation to the DAAP web service, so I rated this B3. Let's see how upstream comes up with a patch.
Fixed in 1.5.0 by the looks of it, but it's p.masked by loki_val, with message "Development version, Work-In-Progress". <snap> Comment #4 from Gabriel Burt (banshee developer, points: 21) 2009-05-04 16:22 UTC [reply] I have pushed a fix to both the stable branch (from which 1.4.4 will be released) and master (from which 1.5.0 etc will come). </snap>
+*banshee-1.4.3-r2 (23 Jul 2009) + + 23 Jul 2009; Samuli Suominen <ssuominen@gentoo.org> + +banshee-1.4.3-r2.ebuild, +files/banshee-1.4.3-CVE-2009-1175.patch: + Backport patch from upstream git for DAAP Cross-site scripting + CVE-2009-1175 wrt #264568.
*** Bug 272322 has been marked as a duplicate of this bug. ***
fix: http://git.gnome.org/cgit/banshee/commit/?id=e0f56bfb7d35abd962a4c13029e236e9e92872db
x86 stable
amd64 stable
ppc, ping
ppc done
XSS → noglsa.
