* Pierre Chifflier: > That looks serious indeed, and it affects versions from both testing and > unstable. > > There are 3 different kind of problems: > - Cross Site Scripting (unsafe usage of the PHP_SELF server variable > within the getParameterisedSelfUrl() function) > - File handling issues in the RSS functionality > - PHP Code Execution (only in 1.x branch): unsafe use of preg_replace > evaluation when parsing anchor tags and the like > > Unfortunately, upstream is not responsive :/ I have tried to contact Tim > Armes, and the developer list.
If upstream is dead, I wonder if we should release with this package. OTOH, it's used by Alioth, so we need to provide security support anyway. > The problems are affecting several parts of the code, and I am not sure > what the correct solution could be. Well, first of all, you need to understand what the bugs are. For instance, I think the third bug is less critical than it looks because you need to commit something to the repository in order to exploit it. After that, we can decide on a fix. For the third bug, it's probably best to remove the vulnerable code altogether (like upstream did for the 2.0 release). The feature doesn't appear to be documented anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
