Xymon Multiple XSS

Fixed since version in Quantal.

This is a backported patch for precise. It's based on the changes made upstream (from 4.3.0 to 4.3.1). I hope I didn't miss anything. As well please check if the new versioning is right.

Christian, thanks for the patch; it is very nearly there.

Please add DEP-3 tags to the 7-CVE-2011-1716.patch file to document the patch provenance. The guidelines are available at https://wiki.ubuntu.com/PackagingGuide/PatchSystems#Patch_Tagging_Guidelines .

The version number increase looked good to me.

Some of the patches in the series after 7-CVE-2011-1716.patch apply with fuzz; did they apply with fuzz before your patch? Was there a reason to apply this patch at the head of the series?

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete.

Thank you

Thanks for the review.

Yes some of the other patches apply with fuzz already before my patch added and there was no change in the behavior befor and after my patch.

There is no particular reason for adding my patch at the head of the series other than using 'quilt new xxxxx' which put it on top. I will move it down to the bugfix section.

This is the new patch with the changes according to the feedback.

ACK'd, thanks for the update.

This bug was fixed in the package xymon - 4.3.0~beta2.dfsg-9.1ubuntu0.1

---------------
xymon (4.3.0~beta2.dfsg-9.1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Multiple cross site scripting (XSS) vulnerabilities
    (LP: #1092412)
    - debian/patches/7-CVE-2011-1716.patch: show user input as html quoted
      output. Based on upstream changes.
    - CVE-2011-1716
 -- Christian Kuersteiner <email address hidden> Sun, 23 Dec 2012 14:08:54 +0700

I made a few modifications to the debdiff:

- Changed paths in debdiff to apply
- Removed # from patch headers
- Split Author/Origin into two headers

Thanks again Christian

This bug was fixed in the package xymon - 4.3.0~beta2.dfsg-9.1ubuntu0.1

---------------
xymon (4.3.0~beta2.dfsg-9.1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Multiple cross site scripting (XSS) vulnerabilities
    (LP: #1092412)
    - debian/patches/7-CVE-2011-1716.patch: show user input as html quoted
      output. Based on upstream changes.
    - CVE-2011-1716
 -- Christian Kuersteiner <email address hidden> Sun, 23 Dec 2012 14:08:54 +0700

Oneiric patch

Lucid patch

ACK on the debdiffs, thanks!

This bug was fixed in the package xymon - 4.3.0~beta2.dfsg-5ubuntu0.1

---------------
xymon (4.3.0~beta2.dfsg-5ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Multiple cross site scripting (XSS) vulnerabilities
    (LP: #1092412)
    - debian/patches/9-CVE-2011-1716.patch: show user input as html quoted
      output. Based on upstream changes.
    - CVE-2011-1716
 -- Christian Kuersteiner <email address hidden> Tue, 15 Jan 2013 13:39:32 +0700

This bug was fixed in the package xymon - 4.3.0~beta2.dfsg-9ubuntu1.1

---------------
xymon (4.3.0~beta2.dfsg-9ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Multiple cross site scripting (XSS) vulnerabilities
    (LP: #1092412)
    - debian/patches/8-CVE-2011-1716.patch: show user input as html quoted
      output. Based on upstream changes.
    - CVE-2011-1716
 -- Christian Kuersteiner <email address hidden> Mon, 14 Jan 2013 14:01:38 +0700