Ubuntu
elog package

[CVE-2008-0444, CVE-2008-0445] XSS and DoS

Bug #216301 reported by William Grant
258
Affects Status Importance Assigned to Milestone
elog (Debian)
Fix Released
Unknown
elog (Ubuntu)
Invalid
High
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
High
Unassigned

Bug Description

Binary package hint: elog

I presume that all releases are affected by these, as there is little difference between them.

CVE-2008-0444:
"Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components."

CVE-2008-0445:
"The replace_inline_img function in elogd in Electronic Logbook (ELOG) before 2.7.1 allows remote attackers to cause a denial of service (infinite loop) via crafted logbook entries. NOTE: some of these details are obtained from third party information."

Tags: edgy-close

CVE References

William Grant (wgrant)
Changed in elog:
importance: Undecided → High
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in elog:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in elog:
status: New → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Edgy Eft 6.10 has reached it's end of life. As a result, we are closing the Edgy Eft task. However, please note that this report will remain open against the actively developed release. Thank you for your continued support and help as we debug this issue.

Changed in elog:
status: New → Invalid
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in elog:
status: New → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in elog (Ubuntu Gutsy):
status: New → Won't Fix
r12056 (r12056)
Changed in elog (Ubuntu Hardy):
assignee: nobody → Ubuntu BugSquad (bugsquad)
Changed in elog (Ubuntu):
assignee: nobody → Ubuntu BugSquad (bugsquad)
assignee: Ubuntu BugSquad (bugsquad) → Ubuntu Security Team (ubuntu-security)
Changed in elog (Ubuntu Hardy):
assignee: Ubuntu BugSquad (bugsquad) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Chris Johnston (cjohnston) wrote :

Removed assignee that was added by r12056.

Changed in elog (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in elog (Ubuntu Hardy):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Please do not assign the Ubuntu Security Team to bugs. The team is already subscribed, which is enough. Additionally, this package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Changed in elog (Ubuntu Dapper):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in elog (Ubuntu Dapper):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

elog is no longer in Ubuntu so I have marked the main task as Invalid.

Changed in elog (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in elog (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.