app-text/namazu-2.0.21 has been released and was already in portage main tree.
In http://www.namazu.org/security.html.en , <app-text/namazu-2.0.21 have several security issues.
I propose to remove <app-text/namazu-2.0.21 in main portage tree.
Thanks for report.
@Maintainer, can 2.0.21 goes to stable?
(In reply to comment #1)
> Thanks for report.
> @Maintainer, can 2.0.21 goes to stable?
It pass the tests and no bugs about -2.0.21 but it doesn't spend 30days yet.
I've added it 30 Oct. I think a few more days or tests needed to be stable.
Arches, please test and mark stable:
Target keywords : "amd64 ppc64 x86"
+ 28 Nov 2011; Tony Vroon <email@example.com> -namazu-2.0.18.ebuild,
+ namazu-2.0.21.ebuild, metadata.xml:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+ Elijah "Armageddon" El Lazkani in security bug #391259. Removed 2.0.18 with
+ problematic dependencies so the arch teams can commit without --force. Remove
+ now-unused kakasi USE-flag.
This bug has two security issues not only CVE-2011-4345 but CVE-2009-5028 in <app-text/namazu-2.0.20.
# Thanks Jan iankko Lieskovsky @ Red Hat Security Response Team
Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before
2.0.16 allow remote attackers to read arbitrary files via a .. (dot dot) in
the (1) lang or (2) result parameter.
Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when
Internet Explorer 6 or 7 is used, allows remote attackers to inject
arbitrary web script or HTML via a cookie.
Stack-based buffer overflow in Namazu before 2.0.20 allows remote attackers
to cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted request containing an empty uri field.
(In reply to comment #9)
> CVE-2011-4711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4711):
> Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before
> 2.0.16 allow remote attackers to read arbitrary files via a .. (dot dot) in
> the (1) lang or (2) result parameter.
I guess CVE-2011-4711 does not affect on this bug. because affected version has been removed sevral years ago.
(In reply to comment #10)
> I guess CVE-2011-4711 does not affect on this bug. because affected version has
> been removed sevral years ago.
Thanks, that may be true. We'll need to look at the issue to see if a GLSA should be published however.
no more stable ppc64 versions; done
@security: please vote for GLSA.
Thanks, folks. GLSA Vote: yes.
Vote: Yes. GLSA request filed.
Nothing to do left as cjk side. Removing CC.
This issue was resolved and addressed in
GLSA 201311-22 at http://security.gentoo.org/glsa/glsa-201311-22.xml
by GLSA coordinator Sergey Popov (pinkbyte).