app-text/namazu-2.0.21 has been released and was already in portage main tree. In http://www.namazu.org/security.html.en , <app-text/namazu-2.0.21 have several security issues. I propose to remove <app-text/namazu-2.0.21 in main portage tree. Reproducible: Always
Thanks for report. @Maintainer, can 2.0.21 goes to stable?
(In reply to comment #1) > Thanks for report. > > @Maintainer, can 2.0.21 goes to stable? It pass the tests and no bugs about -2.0.21 but it doesn't spend 30days yet. I've added it 30 Oct. I think a few more days or tests needed to be stable.
Arches, please test and mark stable: =app-text/namazu-2.0.21 Target keywords : "amd64 ppc64 x86"
amd64 ok
amd64: pass
+ 28 Nov 2011; Tony Vroon <chainsaw@gentoo.org> -namazu-2.0.18.ebuild, + namazu-2.0.21.ebuild, metadata.xml: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah "Armageddon" El Lazkani in security bug #391259. Removed 2.0.18 with + problematic dependencies so the arch teams can commit without --force. Remove + now-unused kakasi USE-flag.
x86 stable
This bug has two security issues not only CVE-2011-4345 but CVE-2009-5028 in <app-text/namazu-2.0.20. http://www.openwall.com/lists/oss-security/2011/11/23/8 # Thanks Jan iankko Lieskovsky @ Red Hat Security Response Team
CVE-2011-4711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4711): Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before 2.0.16 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) lang or (2) result parameter. CVE-2011-4345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4345): Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when Internet Explorer 6 or 7 is used, allows remote attackers to inject arbitrary web script or HTML via a cookie. CVE-2009-5028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5028): Stack-based buffer overflow in Namazu before 2.0.20 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted request containing an empty uri field.
(In reply to comment #9) > CVE-2011-4711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4711): > Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before > 2.0.16 allow remote attackers to read arbitrary files via a .. (dot dot) in > the (1) lang or (2) result parameter. I guess CVE-2011-4711 does not affect on this bug. because affected version has been removed sevral years ago.
(In reply to comment #10) > > I guess CVE-2011-4711 does not affect on this bug. because affected version has > been removed sevral years ago. Thanks, that may be true. We'll need to look at the issue to see if a GLSA should be published however.
no more stable ppc64 versions; done
Thanks everyone. @security: please vote for GLSA.
Thanks, folks. GLSA Vote: yes.
Vote: Yes. GLSA request filed.
Nothing to do left as cjk side. Removing CC.
This issue was resolved and addressed in GLSA 201311-22 at http://security.gentoo.org/glsa/glsa-201311-22.xml by GLSA coordinator Sergey Popov (pinkbyte).