Source: ledgersmb Version: 1.6.9+ds-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: carnil@debian.org, Debian Security Team team@security.debian.org Control: found -1 1.6.9+ds-1 Control: fixed -1 1.6.9+ds-1+deb10u2 Control: fixed -1 1.6.9+ds-2+deb11u2
Hi,
The following vulnerabilities were published for ledgersmb.
CVE-2021-3693[0]: | LedgerSMB does not check the origin of HTML fragments merged into the | browser's DOM. By sending a specially crafted URL to an authenticated | user, this flaw can be abused for remote code execution and | information disclosure.
CVE-2021-3694[1]: | LedgerSMB does not sufficiently HTML-encode error messages sent to the | browser. By sending a specially crafted URL to an authenticated user, | this flaw can be abused for remote code execution and information | disclosure.
CVE-2021-3731[2]: | LedgerSMB does not sufficiently guard against being wrapped by other | sites, making it vulnerable to 'clickjacking'. This allows an attacker | to trick a targetted user to execute unintended actions.
If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3693 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3693 [1] https://security-tracker.debian.org/tracker/CVE-2021-3694 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3694 [2] https://security-tracker.debian.org/tracker/CVE-2021-3731 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3731
Please adjust the affected versions in the BTS as needed.
Regards, Salvatore
Processing control commands:
found -1 1.6.9+ds-1
Bug #992817 [src:ledgersmb] ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731 Marked as found in versions ledgersmb/1.6.9+ds-1.
fixed -1 1.6.9+ds-1+deb10u2
Bug #992817 [src:ledgersmb] ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731 Marked as fixed in versions ledgersmb/1.6.9+ds-1+deb10u2.
fixed -1 1.6.9+ds-2+deb11u2
Bug #992817 [src:ledgersmb] ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731 Marked as fixed in versions ledgersmb/1.6.9+ds-2+deb11u2.
Your message dated Wed, 01 Sep 2021 18:48:50 +0000 with message-id E1mLVI2-000IcO-Q6@fasolo.debian.org and subject line Bug#992817: fixed in ledgersmb 1.6.9+ds-2.1 has caused the Debian Bug report #992817, regarding ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.)
participants (2)
-
Debian Bug Tracking System -
Salvatore Bonaccorso