Description: An input validation vulnerability was reported in ht://dig. A remote user can conduct cross-site scripting attacks. SuSE reported that a cross-site scripting vulnerability was discovered by Michael Krax. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ht://dig software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ht://dig software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Created attachment 50309 [details, diff] htdig-3.2.0b6-unescaped_output.patch Patch from RedHat
web-apps: please apply and bump
*** Bug 79691 has been marked as a duplicate of this bug. ***
I've backported the patch to 3.1.6; qtest.cc doesn't exist in this release, so I've only patched htsearch.cc. 3.1.6-r7 is stable on x86. amd64, ppc, and sparc, please mark stable.
stable on amd64
Stable on ppc.
htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?
> htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well? Karl, no and actually it's not even possible to set SLOT in ebuilds that inherit webapp.eclass. SLOT is handled by webapps.eclass which r4 doesn't use (it uses the older deprecated webapp-apache).
Stable on SPARC.
Security please vote on GLSA.
I vote for a GLSA on this one.
dito
GLSA 200502-16