From ${URL}: I am sorry to report that one of my packages (with upstream hat on) has an XSS attack vulnerability. The way for the attacker to exploit this is to redirect the user's browser in a LAN to apt-cacher-ng server (which address the attacker has to know) with a manipulated URL. Since the location and TCP port of the cacher server are configurable, it's IMHO not totally easy to find but is still a good attack vector with insider knowledge. Here is the proposed fix: http://anonscm.debian.org/gitweb/?p=apt-cacher-ng/apt-cacher-ng.git;a=commitdiff;h=6f08e6a3995d1bed4e837889a3945b6dc650f6ad
Do we have an upstream version that address this issue?
(In reply to Agostino Sarubbo from comment #1) > Do we have an upstream version that address this issue? I've only seen the upstream patch in git so far, no released upstream version.
(In reply to Kristian Fiskerstrand from comment #2) > (In reply to Agostino Sarubbo from comment #1) > > Do we have an upstream version that address this issue? > > I've only seen the upstream patch in git so far, no released upstream > version. so in such case, the tag is upstream/ebuild
Patch added in -r1.
Thank you jer. As this package has not been stabilized it does not need a stabilization or a glsa, however could you please remove any vulnerable packages from the tree? (it might have been done already, however I don't see any update to the anon cvs at this time).
*apt-cacher-ng-0.7.26-r1 (24 Jun 2014) 24 Jun 2014; Jeroen Roovers <jer@gentoo.org> -apt-cacher-ng-0.7.26.ebuild, +apt-cacher-ng-0.7.26-r1.ebuild, +files/apt-cacher-ng-0.7.26-CVE-2014-4510.patch: Add patch for CVE-2014-4510 (bug #514184). The old ebuild is gone.
Perfect, thanks.