Bug 64304 - (CVE-2004-1318) VUL-0: CVE-2004-1318: "Cross-Site Scripting Vulnerability" in namazu
(CVE-2004-1318)
VUL-0: CVE-2004-1318: "Cross-Site Scripting Vulnerability" in namazu
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2004-1318: CVSS v2 Base Score: 4....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-16 12:01 UTC by Marcus Meissner
Modified: 2021-10-27 08:47 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Masaji Takeyama 2004-12-16 12:01:07 UTC
The bug of "Cross-Site Scripting Vulnerability" was found in namazu.
The problem was fixed namazu-2.0.14 are released.
# 8.1, 8.2, 9.0, 9.1, 9.2 are influenced.

Please see this for details.
 http://www.namazu.org/security.html.en
Comment 1 Marcus Meissner 2004-12-16 16:25:51 UTC
mike, can you provide updated packages please 
Comment 2 Masaji Takeyama 2004-12-16 17:12:38 UTC
I tried creating the package of namazu-2.0.14.
(It is at a base about namazu-2.0.12-169 of SUSE 9.1.)

The namazu-2.0.14 require 1.2 or more "File::MMagic(perl module)" version.
# I used "perl-File-MMagic-1.22-2" of SUSE 9.2.

However, this package has not made the check of operation enough.

(The following is the difference in SPEC.)
-----------------------------------------------
# diff  namazu.spec  namazu.spec.2012.169
2c2
< # spec file for package namazu (Version 2.0.14)
---
> # spec file for package namazu (Version 2.0.12)
16,18d15
< #namzu-2.0.14(required File::MMagic(perl module) version 1.2)
< BuildRequires: perl-File-MMagic >= 1.20
<
25,28c22,23
< ##Version:      2.0.12
< ##Release:      169
< Version:      2.0.14
< Release:      0.01
---
> Version:      2.0.12
> Release:      169
31,32c26
< ##Source0:      http://www.namazu.org/stable/%{name}-%{version}.tar.bz2
< Source0:      http://www.namazu.org/stable/%{name}-%{version}.tar.gz
---
> Source0:      http://www.namazu.org/stable/%{name}-%{version}.tar.bz2
159c153
< ##%patch0 -p1 -b .linguas
---
> %patch0 -p1 -b .linguas
161,162c155,156
< ##%patch2 -p1 -b .config
< ##%patch3 -p1 -b .de
---
> %patch2 -p1 -b .config
> %patch3 -p1 -b .de
248,249d241
< * Thu Dec 16 2004 M. Takeyama(namazu-2.0.14.01)
< - update to 2.0.14
-----------------------------------------------
Comment 3 Mike Fabian 2004-12-21 01:25:14 UTC
* This comment was added by mail.
Packages which update to namazu 2.0.14 for distributions where this is
easily possible and namazu packages of older versions with a security
patch applied which fixes the cross site scripting vulnerability are
here:

ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.1/i586/namazu-2.0.10-155.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.1/i586/namazu-cgi-2.0.10-155.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.1/i586/namazu-devel-2.0.10-155.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.1/src/namazu-2.0.10-155.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.2/i586/namazu-2.0.12-170.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.2/i586/namazu-cgi-2.0.12-170.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.2/i586/namazu-devel-2.0.12-170.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/8.2/src/namazu-2.0.12-170.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/i586/namazu-2.0.14-1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/i586/namazu-cgi-2.0.14-1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/i586/namazu-devel-2.0.14-1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/i586/perl-File-MMagic-1.22-2.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/src/namazu-2.0.14-1.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/src/perl-File-MMagic-1.22-2.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/x86_64/namazu-2.0.14-1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/x86_64/namazu-cgi-2.0.14-1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/x86_64/namazu-devel-2.0.14-1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.0/x86_64/perl-File-MMagic-1.22-2.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/i586/namazu-2.0.14-0.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/i586/namazu-cgi-2.0.14-0.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/i586/namazu-devel-2.0.14-0.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/i586/perl-File-MMagic-1.22-1.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/src/namazu-2.0.14-0.1.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/src/perl-File-MMagic-1.22-1.1.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/x86_64/namazu-2.0.14-0.1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/x86_64/namazu-cgi-2.0.14-0.1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/x86_64/namazu-devel-2.0.14-0.1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.1/x86_64/perl-File-MMagic-1.22-1.1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/i586/namazu-2.0.14-0.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/i586/namazu-cgi-2.0.14-0.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/i586/namazu-devel-2.0.14-0.1.i586.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/src/namazu-2.0.14-0.1.src.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/x86_64/namazu-2.0.14-0.1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/x86_64/namazu-cgi-2.0.14-0.1.x86_64.rpm
ftp://SuSE/ftp.suse.com/pub/projects/m17n/9.2/x86_64/namazu-devel-2.0.14-0.1.x86_64.rpm

I'll prepare updates which contain only the security fix and which can
be downloaded via YOU tomorrow.
Comment 4 Mike Fabian 2004-12-21 23:25:57 UTC
Updated packages with patches submitted for inclusion in the 
next YOU update for 8.2, 9.0, 9.1, and 9.2.

Closing as FIXED.
Comment 5 Marcus Meissner 2004-12-21 23:28:27 UTC
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Tue Dec 21 16:28:27 2004, took initial reporter takezou040728@yahoo.co.jp to cc
Comment 6 Marcus Meissner 2004-12-21 23:28:27 UTC
reopemn for tracking 
Comment 7 Marcus Meissner 2005-01-04 00:33:10 UTC
update released. 
Comment 8 Marcus Meissner 2005-01-04 00:33:21 UTC
-> fixed 
Comment 9 Ludwig Nussel 2005-01-10 20:03:42 UTC
CAN-2004-1318 
Comment 10 Thomas Biege 2009-10-13 20:05:26 UTC
CVE-2004-1318: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)