Hi Olivier,
> I've been trying to investigate the issue of the potential uncomplete
> fix for CVE-2007-4048, which had not been applied to the version of
> phpgroupware in ???stable/etch (bug #472685).
>
> It appears that that version of the phpgroupware-phpsysinfo package was
> not vulnerable (see Dave Hall's (upstream developper) message bellow).
> There was just a copy of the original vulenrable phpsysinfo code, but
> which wouldn't be callable in the version wrapped inside phpGroupware
> (phpsysinfo footer replaced by phpgroupware footer).
>
> Thus, the proposed patch seems not necessary if we trust Dave (note that
> it wouldn't hurt either, since that code is not executed, as I verified
> on a patched package on stable).
>
> I'm not sure it's worth issueing a security update for that package,
> then. If it were to be, then the proposed NMU is available in the
> #472685 thread).
>
> I'm requesting the security team's advice on what should be done now.
>
> I'm still concerned that
> http://security-tracker.debian.net/tracker/CVE-2007-4048 would exhibit a
> problem on stable, then.
>
> Lookin forward to reading from you.
Sorry for the late reply. We were busy with other issues.
Thanks for taking over phpgroupware maintenance, we're looking forward
to work with you on future updates.
I agree that we don't need a security update. In general we don't support
security problems in code, which is never called or can only be called
in debug mode etc.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
