MGASA-2012-0165
| Date: | July 14th, 2012 |
| Affected releases: | 1 |
Description:
Updated backuppc packages fix security vulnerabilities:
Cross-site scripting (XSS) vulnerability in RestoreFile.pm in
BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows
remote attackers to inject arbitrary web script or HTML via the
share parameter in a RestoreFile action to index.cgi (CVE-2011-5081).
Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0,
3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to
inject arbitrary web script or HTML via the num parameter in a view
action to index.cgi, related to the log file viewer (CVE-2011-4923).
Also, This update package corrects/improves the definition of variables
in config.pl, the configuration file of backuppc: the variables SshPath,
SmbClientPath, NmbLookupPath, TarClientPath, TopDir. As a result,
backuppc should now run with the default values installed by the Mageia
package, modifications of config.pl should only be required for defining
site-specific settings.
Finally, This update also fixes a bug which blocked correct use of the
Configuration Editor in the Web-interface to backuppc.
Updated Packages:
backuppc-3.2.0-6.mga1
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4923
http://www.ubuntu.com/usn/usn-1444-1/
https://bugs.mageia.org/show_bug.cgi?id=6530
