On Sat, Nov 01, 2008 at 10:11:56PM +1100, Steffen Joeris wrote: > Package: mahara > Severity: grave > Tags: security, patch > Justification: user security hole > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for mahara. > > CVE-2008-4796[0]: > | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 > | and earlier allows remote attackers to execute arbitrary commands via > | shell metacharacters in https URLs. NOTE: some of these details are > | obtained from third party information. > > The extracted patch for Snoopy.class.php can be found here[1]. However > it would be much appreciated (and it is a release goal anyway), if > you could just depend on libphp-snoopy, instead of duplicating the code. > (Maybe you need to change some includes, I didn't check that). > That would make life much easier for the security team. > > >From what I can see you have two small patches in your copy of > Snoopy.class.php. However, if I am not mistaken, both could probably > go into the libphp-snoopy package, so please talk to the maintainer, > if you really depend on them.
From what I remember, we _did_ need those patches, so we'll be sure to talk to the Snoopy maintainer about that. It does make more sense for us to depend on libphp-snoopy; we already had this problem with Smarty in Debian too. Thanks for the report. -- Regards, Nigel McNie | Mahara Lead Developer | http://www.mahara.org/ Catalyst IT | http://catalyst.net.nz DDI: +64 4 803 2203
signature.asc
Description: Digital signature
