Debian 10225 Published by

A roundup security update has been released for Debian 6 LTS



Package : roundup
Version : 1.4.15-3+deb6u1
CVE ID : CVE-2012-6130 CVE-2012-6131 CVE-2012-6132 CVE-2012-6133

* CVE-2012-6130
Cross-site scripting (XSS) vulnerability in the history
display in Roundup before 1.4.20 allows remote attackers
to inject arbitrary web script or HTML via a username,
related to generating a link.
* CVE-2012-6131
Cross-site scripting (XSS) vulnerability in cgi/client.py
in Roundup before 1.4.20 allows remote attackers to inject
arbitrary web script or HTML via the @action parameter to
support/issue1.
* CVE-2012-6132
Cross-site scripting (XSS) vulnerability in Roundup before
1.4.20 allows remote attackers to inject arbitrary web
script or HTML via the otk parameter.
* CVE-2012-6133
XSS flaws in ok and error messages
We solve this differently from the proposals in the bug-report
by not allowing *any* html-tags in ok/error messages anymore.