fex (20100208+debian1-1+squeeze4) squeeze-lts; urgency=high * Non-maintainer upload by the Squeeze LTS Team. * [CVE-2014-3875]: When inserting encoded newline characters into a request to rup, additional HTTP headers can be injected into the reply, as well as new HTML code on the top of the website. * [CVE-2014-3876]: The parameter akey is reflected unfiltered as part of the HTML page. Some characters are forbidden in the GET parameter due to filtering of the URL, but this can be circumvented by using a POST parameter. Nevertheless, this issue is exploitable via the GET parameter alone, with some user interaction. * [CVE-2014-3877]: The parameter addto is reflected only slightly filtered back to the user as part of the HTML page. Some characters are forbidden in the GET parameter due to filtering of the URL, but this can be circumvented by using a POST parameter. Nevertheless, this issue is exploitable via the GET parameter alone, with some user interaction. -- Thorsten Alteholz Tue, 30 Sep 2014 19:00:33 +0200 fex (20100208+debian1-1+squeeze3) stable-security; urgency=high * Fixup for last upload. (Missing initialization, Closes: #660828) -- Kilian Krause Thu, 23 Feb 2012 15:39:33 +0100 fex (20100208+debian1-1+squeeze2) stable-security; urgency=high * Add debian/patches/08_xss.patch (backported from and by upstream) to fix XSS (Closes: #660621) - CVE-2012-0869 -- Kilian Krause Tue, 21 Feb 2012 11:14:34 +0100 fex (20100208+debian1-1+squeeze1) squeeze-security; urgency=high * Add debian/patches/07_fup.patch (backported from upstream): Security update for cgi-bin/fup to not allow everyone to upload files with empty auth-ID (fixes CVE-2011-1409) * Put myself into Uploaders -- Kilian Krause Fri, 10 Jun 2011 14:31:48 +0200 fex (20100208+debian1-1) unstable; urgency=low * [7850750] Imported Upstream version 20100208+debian1 * [321d092] Refreshed patches * [9580c42] Updated README.source * [178490b] fex-utils description: indent the binary list with two spaces. - thanks to Gerfried Fuchs * [832b114] Fix a typo in short description. - thanks to Ullrich Horlacher -- Giuseppe Iuculano Wed, 03 Mar 2010 17:11:38 +0100 fex (20091210+debian0-2) unstable; urgency=low * [c977b32] Fixed a bug in the mailer, sendmail syntax was wrong * [edc6f17] bin/fac: use VISUAL and EDITOR environment variables. If neither of the environment variables is defined, then the default editor /usr/bin/editor is used. -- Giuseppe Iuculano Sun, 07 Feb 2010 18:36:28 +0100 fex (20091210+debian0-1) unstable; urgency=low * Initial release (Closes: #495973) -- Giuseppe Iuculano Sun, 31 Jan 2010 21:39:04 +0100