Ubuntu
sarg package

[CVE-2008-1168] XSS in log and useragent parser

Bug #202758 reported by William Grant on 2008-03-16

266

Affects		Status	Importance	Assigned to	Milestone
	sarg (Ubuntu)	Fix Released	High	William Grant
	Dapper	Won't Fix	Undecided	Unassigned
	Edgy	Won't Fix	Undecided	Unassigned
	Feisty	Won't Fix	Undecided	Unassigned
	Gutsy	Won't Fix	Undecided	Unassigned
	Hardy	Fix Released	High	William Grant

Bug Description

Binary package hint: sarg

CVE-2008-1167:
Stack-based buffer overflow in the useragent function in useragent.c in Squid Analysis Report Generator (Sarg) 2.2.3.1 allows remote attackers to execute arbitrary code via a long Squid proxy server User-Agent header. NOTE: some of these details are obtained from third party information.

CVE-2008-1168:
Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator (Sarg) 2.2.3.1 allows remote attackers to inject arbitrary web script or HTML via the User-Agent header, which is not properly handled when displaying the Squid proxy log. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Both issues are fixed upstream in 2.2.5.

CVE References

Revision history for this message

William Grant (wgrant) wrote on 2008-03-16:

#1

2.2.4-2.2.5 changelogs Edit (1.0 KiB, text/plain)

The only changes in 2.2.4 and 2.2.5 are these security fixes, so a FFe is not required. The changelog entries are attached.

Revision history for this message

William Grant (wgrant) wrote on 2008-03-16:

#2

Sync requested in bug #202759.

Changed in sarg:
assignee:	nobody → fujitsu
importance:	Undecided → High
status:	New → In Progress

William Grant (wgrant) on 2008-03-23

Changed in sarg:
status:	In Progress → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-07-24:

#3

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in sarg:
status:	New → Won't Fix

Revision history for this message

LumpyCustard (orangelumpycustard) wrote on 2008-12-14:

#4

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message

Hew (hew) wrote on 2008-12-15:

#5

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in sarg:
status:	New → Won't Fix

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

#6

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in sarg (Ubuntu Gutsy):
status:	New → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#7

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in sarg (Ubuntu Dapper):
status:	New → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #203472

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

2.2.4-2.2.5 changelogs Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.