U radu programskog paketa ikiwiki, na operacijskom sustavu Fedora 15, uočen je novi sigurnosni propust. Radi se o jezičnom procesoru koji wiki stranice prebacuje u HTML (eng. HyperText Markup Language) stranice prikladne za prikaz na webu. Propust je posljedica odsutnosti provjere uključenosti programskog dodatka "htmlscrubber" tijekom obrade direktive "meta stylesheet". Zlonamjerni, udaljeni korisnici tako mogu vršiti XSS (eng. cross-site scripting) napade preko posebno oblikovanih nizova CSS (eng. Cascading Style Sheets) znakova. Svim se korisnicima savjetuje primjena objavljene nadogradnje kako bi otklonili uočen nedostatak.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-5249
2011-04-13 04:47:48
--------------------------------------------------------------------------------
Name : ikiwiki
Product : Fedora 15
Version : 3.20110328
Release : 1.fc15
URL : http://ikiwiki.info/
Summary : A wiki compiler
Description :
Ikiwiki is a wiki compiler. It converts wiki pages into HTML pages
suitable for publishing on a website. Ikiwiki stores pages and history
in a revision control system such as Subversion or Git. There are many
other features, including support for blogging, as well as a large
array of plugins.
--------------------------------------------------------------------------------
Update Information:
Update to latest upstream version 3.20110328.
Security fix: Possible javascript insertion via insufficient htmlscrubbing of
alternate stylesheets. (CVE-2011-1401)
See http://ikiwiki.info/news/ for the full list of changes.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #695501 - CVE-2011-1401 ikiwiki: XSS via crafted CSS token
sequences
https://bugzilla.redhat.com/show_bug.cgi?id=695501
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update ikiwiki' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke