xdg-utils - Debian Package Tracker

general

source: xdg-utils (main)
version: 1.1.3-4.1
maintainer: Debian freedesktop.org maintainers (archive) (DMD)
uploaders: Nicholas Guriev [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.1.3-1+deb10u1
oldstable: 1.1.3-4.1
stable: 1.1.3-4.1
testing: 1.1.3-4.1
unstable: 1.1.3-4.1

versioned links

1.1.3-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.3-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

xdg-utils (64 bugs: 0, 47, 17, 0)

action needed

A new upstream version is available: 1.2.0~beta1 high

A new upstream version 1.2.0~beta1 is available, you should consider packaging it.

Created: 2023-10-01 Last update: 2023-10-01 08:45

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-4055: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVE-2020-27748: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Created: 2022-07-04 Last update: 2023-06-11 06:30

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2022-4055: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVE-2020-27748: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Created: 2023-06-11 Last update: 2023-06-11 06:30

9 bugs tagged patch in the BTS normal

The BTS contains patches fixing 9 bugs, consider including or untagging them.

Created: 2023-09-13 Last update: 2023-10-01 08:36

2 low-priority security issues in bullseye low

There are 2 open security issues in bullseye.

2 issues left for the package maintainer to handle:

CVE-2022-4055: (needs triaging) When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVE-2020-27748: (postponed; to be fixed through a stable update) A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-06-11 06:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2022-4055: (needs triaging) When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVE-2020-27748: (postponed; to be fixed through a stable update) A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2023-06-11 06:30

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 1.1.3-4.1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-12-17 19:17

news

[rss feed]

[2021-05-04] xdg-utils 1.1.3-4.1 MIGRATED to testing (Debian testing watch)
[2021-04-26] Accepted xdg-utils 1.1.3-4.1 (source) into unstable (Roland Clobus) (signed by: Paul Gevers)
[2021-02-13] xdg-utils 1.1.3-4 MIGRATED to testing (Debian testing watch)
[2021-01-18] Accepted xdg-utils 1.1.3-4 (source) into unstable (Nicholas Guriev) (signed by: Emilio Pozuelo Monfort)
[2021-01-18] Accepted xdg-utils 1.1.3-3 (source) into unstable (Nicholas Guriev) (signed by: Adam Borowski)
[2020-04-26] Accepted xdg-utils 1.1.1-1+deb9u2 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Mattia Rizzolo)
[2020-04-25] Accepted xdg-utils 1.1.3-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Mattia Rizzolo)
[2020-03-19] xdg-utils 1.1.3-2 MIGRATED to testing (Debian testing watch)
[2020-03-14] Accepted xdg-utils 1.1.3-2 (source) into unstable (Nicholas Guriev) (signed by: Adam Borowski)
[2018-05-28] Accepted xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-28] Accepted xdg-utils 1.1.1-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-25] Accepted xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 (source all) into oldstable->embargoed, oldstable (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-25] Accepted xdg-utils 1.1.1-1+deb9u1 (source all) into stable->embargoed, stable (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-25] xdg-utils 1.1.3-1 MIGRATED to testing (Debian testing watch)
[2018-05-24] Accepted xdg-utils 1.1.0~rc1+git20111210-6+deb7u4 (source all) into oldoldstable (Nicholas Guriev) (signed by: Markus Koschany)
[2018-05-20] Accepted xdg-utils 1.1.3-1 (source) into unstable (Nicholas Guriev) (signed by: Emilio Pozuelo Monfort)
[2018-03-04] xdg-utils 1.1.2-2 MIGRATED to testing (Debian testing watch)
[2018-02-27] Accepted xdg-utils 1.1.2-2 (source) into unstable (Emilio Pozuelo Monfort)
[2017-11-02] xdg-utils 1.1.2-1 MIGRATED to testing (Debian testing watch)
[2017-10-22] Accepted xdg-utils 1.1.2-1 (source) into unstable (Nicholas Guriev) (signed by: Emilio Pozuelo Monfort)
[2015-10-11] xdg-utils 1.1.1-1 MIGRATED to testing (Britney)
[2015-10-05] Accepted xdg-utils 1.1.1-1 (source all) into unstable (Per Olofsson)
[2015-10-04] Accepted xdg-utils 1.1.0-1 (source all) into unstable (Per Olofsson)
[2015-09-28] xdg-utils 1.1.0~rc3+git20150922-1 MIGRATED to testing (Britney)
[2015-09-22] Accepted xdg-utils 1.1.0~rc3+git20150922-1 (source all) into unstable (Per Olofsson)
[2015-09-21] Accepted xdg-utils 1.1.0~rc3+git20150919-1 (source all) into unstable (Per Olofsson)
[2015-09-20] xdg-utils 1.1.0~rc3+git20150907-2 MIGRATED to testing (Britney)
[2015-09-15] Accepted xdg-utils 1.1.0~rc3+git20150907-2 (source all) into unstable (Per Olofsson)
[2015-09-14] xdg-utils 1.1.0~rc3+git20150907-1 MIGRATED to testing (Britney)
[2015-09-08] Accepted xdg-utils 1.1.0~rc3+git20150907-1 (source all) into unstable (Per Olofsson)

bugs [bug history graph]

all: 64 66
RC: 0
I&N: 48 49
M&W: 16 17
F&P: 0
patch: 9

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.1.3-4.1ubuntu3
61 bugs (3 patches)
patches for 1.1.3-4.1ubuntu3