Ubuntu
roundup package

[roundup] [CVE-2008-1474] cross-site scripting vulnerability

Bug #227276 reported by disabled.user on 2008-05-06

260

Affects		Status	Importance	Assigned to	Milestone
	roundup (Debian)	Fix Released	Unknown	debbugs #472643
	roundup (Ubuntu)	Fix Released	High	William Grant
	Dapper	Won't Fix	Undecided	Unassigned
	Feisty	Won't Fix	Undecided	Unassigned
	Gutsy	Won't Fix	Undecided	Unassigned
	Hardy	Fix Released	High	William Grant
	Intrepid	Fix Released	High	William Grant

Bug Description

Binary package hint: roundup

References:
DSA-1554-1 (http://www.debian.org/security/2008/dsa-1554)

QuotingDSA-1554-1:
"Roundup, an issue tracking system, fails to properly escape HTML input,
allowing an attacker to inject client-side code (typically JavaScript)
into a document that may be viewed in the victim's browser."

Quoting CVE-2008-1474:
"Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS)."

CVE References

2008-1474

Bug Watch Updater (bug-watch-updater) on 2008-05-06

Changed in roundup:
status:	Unknown → Fix Released

Revision history for this message

Ralph Corderoy (ralph-inputplus) wrote on 2008-06-11:

#1

Does this mean 8.04's roundup is susceptible as things stand? I see all those "nominated" for release after release. I was planning on installing it, but now I'm not sure.

William Grant (wgrant) on 2008-06-26

Changed in roundup:
assignee:	nobody → wgrant
importance:	Undecided → High
status:	New → In Progress
assignee:	nobody → wgrant
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

William Grant (wgrant) wrote on 2008-06-26:

#2

Actually, my last merge fixed this in Hardy months ago. It's safe.

Changed in roundup:
status:	In Progress → Fix Released
status:	In Progress → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-12-15:

#3

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in roundup:
status:	New → Won't Fix

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

#4

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in roundup (Ubuntu Gutsy):
status:	New → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#5

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in roundup (Ubuntu Dapper):
status:	New → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #472643
[done important patch security] Edit

Bug watches keep track of this bug in other bug trackers.