desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #41540
[Bug 879301] Re: HTML injection in nicknames
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3635
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to empathy in Ubuntu.
https://bugs.launchpad.net/bugs/879301
Title:
HTML injection in nicknames
Status in “empathy” package in Ubuntu:
In Progress
Bug description:
I just requested CVE-2011-3635 for
https://bugzilla.gnome.org/show_bug.cgi?id=662035
I'm opening this bug to already let you know about this security issue
as Ubuntu is more affected than other distros as it ships an Adium
theme by default.
Here is the description of the CVE:
Empathy from version 2.25.3 to 3.2.1.1 is vulnerable to a HTML
injection bug in its chat window. Only version built with WebKit
support (which was optional before version 3.1.5.1) are affected. Also
this doesn't affect the default chat window, the vulnerability happens
only when the user has configured it to use an Adium theme (none are
provided by default).
Fix:
http://git.gnome.org/browse/empathy/commit/?id=739aca418457de752be13721218aaebc74bd9d36
Details: https://bugzilla.gnome.org/show_bug.cgi?id=662035
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/879301/+subscriptions