Giuseppe Iuculano
2009-Jul-07 06:33 UTC
[Secure-testing-team] Bug#536051: CVE-2009-2265, CVE-2009-2324: input sanitization errors
Package: fckeditor
Version: 1:2.6.2-1
Severity: grave
Tags: security lenny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for fckeditor.
CVE-2009-2265[0]:
| Multiple directory traversal vulnerabilities in FCKeditor before
| 2.6.4.1 allow remote attackers to create executable files in arbitrary
| directories via directory traversal sequences in the input to
| unspecified connector modules, as exploited in the wild for remote
| code execution in July 2009, related to the file browser and the
| editor/filemanager/connectors/ directory.
CVE-2009-2324[1]:
| Multiple cross-site scripting (XSS) vulnerabilities in FCKeditor
| before 2.6.4.1 allow remote attackers to inject arbitrary web script
| or HTML via components in the samples (aka _samples) directory.
These are already fixed in debian unstable.
Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable releases.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
http://security-tracker.debian.net/tracker/CVE-2009-2265
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2324
http://security-tracker.debian.net/tracker/CVE-2009-2324
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpS7BoACgkQNxpp46476aqLkgCfbfTGN8TqPG10C+EBvYMm82zJ
9ngAnRpSHHzwAfY1Usb0My2SzkvwunSF
=tCPb
-----END PGP SIGNATURE-----