Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64154 - dev-java/snipsnap-bin: http response splitting
Summary: dev-java/snipsnap-bin: http response splitting
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] lewk
Depends on:
Reported: 2004-09-15 10:30 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-09-15 10:30:50 UTC
Author: Maestro (me!)

Date: 14-SEP-04
Vendor: SnipSnap (
Product: SnipSnap 0.5.2a

Product description (from vendor website):
SnipSnap is a free and easy to install weblog and wiki tool written in Java.

Problem: Http response splitting (web cache poisoning, xss, 
yadayadayada) -

POST /exec/authenticate HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 197


(replace curly braces with lessthan and greaterthan)

Vendor status: vendor fixed in version 1.0B1. From vendor website:
Tuesday, 14. September 2004
SnipSnap 1.0b1 (uttoxeter) released 
SnipSnap version 1.0b1 has just been released. This release was necessary due to the demand to get updates from 0.5.2a and a security issue know as HTTP response splitting found by someone called Maestro De-Seguridad.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-15 11:54:11 UTC
Java herd, please bump to release 1.0B1.
Comment 2 Thomas Matthijs (RETIRED) gentoo-dev 2004-09-15 16:00:48 UTC
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-09-15 16:19:35 UTC
arches, please mark stable.
Comment 4 Thomas Matthijs (RETIRED) gentoo-dev 2004-09-16 00:36:13 UTC
Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-09-16 01:12:37 UTC
stable on ppc, x86
java and ppc removed from cc.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 01:26:56 UTC
Ready for a GLSA decision
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 05:46:48 UTC
Yes, a GLSA is needed. lewk, the draft is yours.
Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2004-09-17 05:52:40 UTC
glsa 200409-23