pluxml - Debian Package Tracker

general

source: pluxml (main)
version: 5.6-1
maintainer: Tanguy Ortolo (DMD)
arch: all
std-ver: 4.1.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.5-2
oldstable: 5.6-1
unstable: 5.6-1

versioned links

5.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

pluxml (1 bugs: 0, 1, 0, 0)

action needed

12 security issues in stretch high

There are 12 open security issues in stretch.

9 important issues:

CVE-2007-3432: Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename.
CVE-2007-3542: Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
CVE-2012-4674: PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID.
CVE-2012-4675: Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update.
CVE-2022-24585: A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.
CVE-2022-24586: A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.
CVE-2022-24587: A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.
CVE-2022-25018: Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
CVE-2022-25020: A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.

3 issues postponed or untriaged:

CVE-2021-38602: (needs triaging) PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
CVE-2021-38603: (needs triaging) PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
CVE-2017-1001001: (needs triaging) PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges.

Created: 2022-02-16 Last update: 2022-03-25 20:00

11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:

CVE-2007-3432: Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename.
CVE-2007-3542: Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
CVE-2012-4674: PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID.
CVE-2012-4675: Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update.
CVE-2021-38602: PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
CVE-2021-38603: PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
CVE-2022-24585: A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.
CVE-2022-24586: A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.
CVE-2022-24587: A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.
CVE-2022-25018: Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
CVE-2022-25020: A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.

Created: 2021-08-13 Last update: 2022-03-25 20:00

11 security issues in buster high

There are 11 open security issues in buster.

9 important issues:

CVE-2007-3432: Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename.
CVE-2007-3542: Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
CVE-2012-4674: PluXml before 5.1.6 allows remote attackers to obtain the installation path via the PHPSESSID.
CVE-2012-4675: Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to file update.
CVE-2022-24585: A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.
CVE-2022-24586: A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.
CVE-2022-24587: A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.
CVE-2022-25018: Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
CVE-2022-25020: A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.

2 ignored issues:

CVE-2021-38602: PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
CVE-2021-38603: PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.

Created: 2021-08-13 Last update: 2022-03-25 20:00

lintian reports 4 errors and 2 warnings high

Lintian reports 4 errors and 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-09-21 Last update: 2022-01-01 04:34

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2020-11-28 Last update: 2022-05-19 10:07

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 5.6-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 3ab4fd88c43af8ea3d2bdd1278605193eb203f5f
Merge: 1c53955 26df74e
Author: Tanguy Ortolo <tanguy.ortolo@adobe.com>
Date:   Tue Jan 22 16:14:17 2019 +0100

    Merge remote-tracking branch 'ortolo/master'
    
    * ortolo/master: (236 commits)
      Update Standards-Version to 4.1.3
      Remove obsolete Lintian overrides
      Remove useless exec rights on a PHP class file
      Update version in generated configuration file
      Use a secure URL for the copyright format
      Add default-mta to the recommends
      Add Rules-Requires-Root to control
      Switch package priority from extra to optional
      Switch to debhelper 9
      Remove trailing whitespace
      Add a patch to mitigate CVE-2017-1001001
      Remove captcha patch applied upstream
      Add new config parameter bypage_tags
      Update Spanish template translation
      Update changelog with new version
      modif param fct
      gestion langue
      réglage css
      réglages theme
      affichage mode
      ...

commit 1c53955d8b13dcecbdd4b7b47201543fc4488a11
Author: Tanguy Ortolo <tanguy.ortolo@adobe.com>
Date:   Tue Jan 22 16:12:10 2019 +0100

    Remove unexpected temporary files on exit

commit c997ac5fb11007b78170db00344a0bf073dc4d50
Author: Tanguy Ortolo <tanguy.ortolo@adobe.com>
Date:   Tue Jan 22 16:11:09 2019 +0100

    Correct unescaped $ in a generated conffile

Created: 2019-01-23 Last update: 2022-05-19 07:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.1.3).

Created: 2018-04-16 Last update: 2022-05-11 23:24

testing migrations

excuses:
- Migration status for pluxml (- to 5.6-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating pluxml would introduce bugs in testing: #1008264
- ∙ ∙ Not built on buildd: arch all binaries uploaded by tanguy+debian@ortolo.eu, a new source-only upload is needed to allow migration
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/pluxml.html
- ∙ ∙ 1519 days old (needed 5 days)
- Not considered

news

[rss feed]

[2020-11-29] pluxml REMOVED from testing (Debian testing watch)
[2018-03-27] pluxml 5.6-1 MIGRATED to testing (Debian testing watch)
[2018-03-21] Accepted pluxml 5.6-1 (source all) into unstable (Tanguy Ortolo)
[2017-12-15] pluxml REMOVED from testing (Debian testing watch)
[2016-08-18] pluxml 5.5-2 MIGRATED to testing (Debian testing watch)
[2016-08-12] Accepted pluxml 5.5-2 (source all) into unstable (Tanguy Ortolo)
[2016-05-14] pluxml 5.5-1 MIGRATED to testing (Debian testing watch)
[2016-05-08] Accepted pluxml 5.5-1 (source all) into unstable (Tanguy Ortolo)
[2015-07-29] pluxml 5.4-1 MIGRATED to testing (Britney)
[2015-07-23] Accepted pluxml 5.4-1 (source all) into unstable (Tanguy Ortolo)
[2014-09-11] pluxml 5.3.1-2 MIGRATED to testing (Britney)
[2014-08-31] Accepted pluxml 5.3.1-2 (source all) into unstable (Tanguy Ortolo)
[2014-04-24] pluxml 5.3.1-1 MIGRATED to testing (Debian testing watch)
[2014-04-18] Accepted pluxml 5.3.1-1 (source all) (Tanguy Ortolo)
[2014-01-20] pluxml 5.3-1 MIGRATED to testing (Debian testing watch)
[2014-01-14] Accepted pluxml 5.3-1 (source all) (Tanguy Ortolo)
[2013-12-02] pluxml 5.2-4 MIGRATED to testing (Debian testing watch)
[2013-11-25] Accepted pluxml 5.2-4 (source all) (Tanguy Ortolo)
[2013-11-07] pluxml 5.2-3 MIGRATED to testing (Debian testing watch)
[2013-10-27] Accepted pluxml 5.2-3 (source all) (Tanguy Ortolo)
[2013-09-13] pluxml 5.2-2 MIGRATED to testing (Debian testing watch)
[2013-09-02] Accepted pluxml 5.2-1 (source amd64) (Tanguy Ortolo)
[2013-09-02] Accepted pluxml 5.2-2 (source all) (Tanguy Ortolo)

bugs [bug history graph]

all: 2
RC: 1
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (4, 2)
buildd: logs, clang
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (99, -)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.6-1