LedgerSMB

The foundation for your business

[ledgersmb-devel] Bug#992817: marked as done (ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ledgersmb-devel] Bug#992817: marked as done (ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731)

Subject: [ledgersmb-devel] Bug#992817: marked as done (ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731)
From: "Debian Bug Tracking System" <..hidden..>
Date: Wed, 01 Sep 2021 18:51:03 +0000

Your message dated Wed, 01 Sep 2021 18:48:50 +0000
with message-id <..hidden..>
and subject line Bug#992817: fixed in ledgersmb 1.6.9+ds-2.1
has caused the Debian Bug report #992817,
regarding ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ..hidden..
immediately.)


-- 
992817: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992817
Debian Bug Tracking System
Contact ..hidden.. with problems

--- Begin Message ---

Subject: ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731
From: Salvatore Bonaccorso <..hidden..>
Date: Mon, 23 Aug 2021 22:11:59 +0200

Source: ledgersmb
Version: 1.6.9+ds-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: ..hidden.., Debian Security Team <..hidden..>
Control: found -1 1.6.9+ds-1
Control: fixed -1 1.6.9+ds-1+deb10u2
Control: fixed -1 1.6.9+ds-2+deb11u2

Hi,

The following vulnerabilities were published for ledgersmb.

CVE-2021-3693[0]:
| LedgerSMB does not check the origin of HTML fragments merged into the
| browser's DOM. By sending a specially crafted URL to an authenticated
| user, this flaw can be abused for remote code execution and
| information disclosure.


CVE-2021-3694[1]:
| LedgerSMB does not sufficiently HTML-encode error messages sent to the
| browser. By sending a specially crafted URL to an authenticated user,
| this flaw can be abused for remote code execution and information
| disclosure.


CVE-2021-3731[2]:
| LedgerSMB does not sufficiently guard against being wrapped by other
| sites, making it vulnerable to 'clickjacking'. This allows an attacker
| to trick a targetted user to execute unintended actions.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3693
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3693
[1] https://security-tracker.debian.org/tracker/CVE-2021-3694
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3694
[2] https://security-tracker.debian.org/tracker/CVE-2021-3731
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3731

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Subject: Bug#992817: fixed in ledgersmb 1.6.9+ds-2.1
From: Debian FTP Masters <..hidden..>
Date: Wed, 01 Sep 2021 18:48:50 +0000

Source: ledgersmb
Source-Version: 1.6.9+ds-2.1
Done: Mattia Rizzolo <..hidden..>

We believe that the bug you reported is fixed in the latest version of
ledgersmb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to ..hidden..,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <..hidden..> (supplier of updated ledgersmb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ..hidden..)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Sep 2021 20:19:24 +0200
Source: ledgersmb
Architecture: source
Version: 1.6.9+ds-2.1
Distribution: unstable
Urgency: medium
Maintainer: LedgerSMB Core Team <..hidden..>
Changed-By: Mattia Rizzolo <..hidden..>
Closes: 992817
Changes:
 ledgersmb (1.6.9+ds-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Upload the last security fixes also to unstable.  Closes: #992817
 .
 ledgersmb (1.6.9+ds-2+deb11u3) bullseye-security; urgency=medium
 .
   * Fix a regression in the display of some search results
 .
 ledgersmb (1.6.9+ds-2+deb11u2) bullseye-security; urgency=medium
 .
   * Fix CVE-2021-3731, thanks to Erik Huelsmann
 .
 ledgersmb (1.6.9+ds-2+deb11u1) bullseye-security; urgency=medium
 .
   * Fix CVE-2021-3693 and CVE-2021-3694, thanks to Erik Huelsmann
Checksums-Sha1:
 c5db18d0af429290e9258e4af13ba6fabd97a507 3241 ledgersmb_1.6.9+ds-2.1.dsc
 afaad1d50b746bed816647acc2e1bdc83af853e9 38380 ledgersmb_1.6.9+ds-2.1.debian.tar.xz
 11ff32e100ac28c47c1c13500d7cba52af5b8836 15237 ledgersmb_1.6.9+ds-2.1_amd64.buildinfo
Checksums-Sha256:
 3af1270aee67be5af8298c51cfe4c2d475306e661d87ece2cd1c00d568186992 3241 ledgersmb_1.6.9+ds-2.1.dsc
 91f28e5c0f6b6fca1c1555d7083ffbc8883b61b245c4db790e9c44fccf86aa67 38380 ledgersmb_1.6.9+ds-2.1.debian.tar.xz
 d6f9f0b64da3b8619cd1250eeda8b9ae557909c70cfd3534956080d292ccbc49 15237 ledgersmb_1.6.9+ds-2.1_amd64.buildinfo
Files:
 c4debdee8daeb6412314ab946e6e6722 3241 web optional ledgersmb_1.6.9+ds-2.1.dsc
 90c9f6cab8c0e97ba8b536e5981c766c 38380 web optional ledgersmb_1.6.9+ds-2.1.debian.tar.xz
 0aeaaf798b7b50314283466628240b51 15237 web optional ledgersmb_1.6.9+ds-2.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmEvxhsACgkQCBa54Yx2
K634og//XG6bAL2cOJwSBU5vuHxow106v1Fz3Gge5yVM5v+y+2hPdRhf/tfGhy8T
yNZU9mifNzheOpo1/Y/STXLgTvO7Z5nmXVrWBa2qPO9EaJrH6cp/18XZldIv/kdP
HnvPlxeBKPPkkx5Jf1qnm2BW95LZ9NIN8xKsscaeOAZRhLaYNwnrjfwxaoXTy6Cn
pCAcUDk9u2/0MSVOIZoz8o7vv+5WwqHI41CRyCVxYAxuj6mE0KOIz+AT0KFpFDB8
VjBV6XmHYuV5d7ArxEVcz+bnl/ufifUmBDYGvkmN8MM0kpNX5McWaRrR49ZmNUaV
8G9+M8wOhZaxjVstHk31TDQV4DvrPE5q/9ZRB6U/lI5zub9k5C6ewncv8IV+7/jq
uqxSusV7bhfKTTCCVkCV2aoFDEyb2yjQqddLuLaKc4JAohafq8CiNFXBJM7kG8bz
bqGhHEj5rF6+BMVRJxfrvTOlTQvMZFJY+038Pckytr6nL7BWd0mc1agRai1PM2Hu
NifvQ1ciYNLKKPYtQsph9Mu/QpJ6fGP4xBNxheyt8AAkw2mAQR7MKRrPbO7NW/mv
S+D9foqDdskplZZb913Br7XpIzBJneCaYyLvAhR5+AXWTZ5AAj6/3q3BPjLo8wyu
pF8hPNmciBC1IMuecs3rBa6xE8pmZV+7svKIMLvP051slLnp/YI=
=uahl
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
devel mailing list -- ..hidden..
To unsubscribe send an email to ..hidden..

References:
- [ledgersmb-devel] Bug#992817: ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731
  - From: Salvatore Bonaccorso

Prev by Date: [ledgersmb-devel] ledgersmb_1.6.9+ds-2.1_source.changes ACCEPTED into unstable
Next by Date: [ledgersmb-devel] ledgersmb_1.6.9+ds-2+deb11u3_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: [ledgersmb-devel] Processed: ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731
Next by thread: [ledgersmb-devel] LedgerSMB 1.7.34 released
Index(es):
- Date
- Thread