Gentoo Linux -- List Archive: gentoo-commits

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647

List Archive: gentoo-commits

Navigation:

Lists: gentoo-commits: < Prev By Thread Next > < Prev By Date Next >

Headers:

To:	gentoo-commits@g.o
From:	"Tobias Heinlein (keytoaster)" <keytoaster@g.o>
Subject:	gentoo commit in xml/htdocs/security/en/glsa: glsa-200805-21.xml
Date:	Tue, 27 May 2008 20:45:49 +0000

keytoaster    08/05/27 20:45:49

  Added:                glsa-200805-21.xml
  Log:
  GLSA 200805-21

Revision  Changes    Path
1.1                  xml/htdocs/security/en/glsa/glsa-200805-21.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200805-21.xml?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200805-21.xml?rev=1.1&content-type=text/plain

Index: glsa-200805-21.xml
===================================================================
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

<glsa id="200805-21">
  <title>Roundup: Permission bypass</title>
  <synopsis>
    A vulnerability in Roundup allows for bypassing permission restrictions.
  </synopsis>
  <product type="ebuild">roundup</product>
  <announced>May 27, 2008</announced>
  <revised>May 27, 2008: 01</revised>
  <bug>212488</bug>
  <bug>214666</bug>
  <access>remote</access>
  <affected>
    <package name="www-apps/roundup" auto="yes" arch="*">
      <unaffected range="ge">1.4.4-r1</unaffected>
      <vulnerable range="lt">1.4.4-r1</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    Roundup is an issue-tracking system with command-line, web and e-mail
    interfaces.
    </p>
  </background>
  <description>
    <p>
    Philipp Gortan reported that the xml-rpc server in Roundup does not
    check property permissions (CVE-2008-1475). Furthermore, Roland Meister
    discovered multiple vulnerabilities caused by unspecified errors, some
    of which may be related to cross-site scripting (CVE-2008-1474).
    </p>
  </description>
  <impact type="normal">
    <p>
    A remote attacker could possibly exploit the first vulnerability to
    edit or view restricted properties via the list(), display(), and set()
    methods. The impact and attack vectors of the second vulnerability are
    unknown.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    All Roundup users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=www-apps/roundup-1.4.4-r1&quot;</code>
  </resolution>
  <references>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1474">CVE-2008-1474</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475">CVE-2008-1475</uri>
  </references>
  <metadata tag="requester" timestamp="Mon, 19 May 2008 15:24:06 +0000">
    keytoaster
  </metadata>
  <metadata tag="submitter" timestamp="Wed, 21 May 2008 19:07:57 +0000">
    keytoaster
  </metadata>
  <metadata tag="bugReady" timestamp="Thu, 22 May 2008 09:03:17 +0000">
    p-y
  </metadata>
</glsa>



-- 
gentoo-commits@g.o mailing list

Navigation:

Lists: gentoo-commits: < Prev By Thread Next > < Prev By Date Next >

Previous by thread:

gentoo-x86 commit in x11-libs/libX11: ChangeLog

Next by thread:

planet r381 - configs

Previous by date:

gentoo-x86 commit in dev-util/buildbot: ChangeLog buildbot-0.7.7-r1.ebuild

Next by date:

gentoo-x86 commit in dev-util/buildbot: ChangeLog buildbot-0.7.7-r1.ebuild

Updated May 02, 2012

Summary: Archive of the gentoo-commits mailing list.

Donate to support our development efforts.