From ${URL} : Seth Arnold (seth.arnold@canonical.com) reports: Hello Kurt, Steve, all, I am requesting a 2012 CVE for an incomplete security fix in smokeping, fixed in version 2.6.9. CVE-2012-0790 was assigned to smokeping for XSS flaws. The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The filtering used this blacklist: $mode =~ s/[<>&%]/./g; The version in 2.6.9 uses the following blacklist: my $xssBadRx = qr/[<>%&'";]/; (', ", and ; have been added. When it is used, blacklist chars are now turned to _ rather than . ) The 2.6.9 version prevents escaping <html attribute="..."> via " characters. The incomplete fix is in 2.6.7 and 2.6.8. This flaw was discovered by Florian Weimer [1] in 2012 and brought to our attention [2] in 2013. The upstream CHANGES [3] file includes, in part: -------------------------------------------------- 2013/03/04 - released version 2.6.9 * be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi) -------------------------------------------------- I have not found an up-to-date online browsable source. Thanks 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3: http://oss.oetiker.ch/smokeping/pub/CHANGES @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
2.6.9 is already the only version in tree and is a stable package. GLSA?
(In reply to Chris Reffett from comment #1) > 2.6.9 is already the only version in tree and is a stable package. GLSA? Usually the security team do not send glsa for the XSS.
(In reply to Agostino Sarubbo from comment #2) > (In reply to Chris Reffett from comment #1) > > 2.6.9 is already the only version in tree and is a stable package. GLSA? > > Usually the security team do not send glsa for the XSS. And by "[u]sually" you intend to except some 57 cases? I guess there is more to it than that...
Yeah, uh, I'll leave it for a vote and the security team can yell at me if this was supposed to stay closed :)
GLSA vote: no
GLSA vote: no. Closing as [noglsa]