Package: moodle Severity: grave Version: 1.8.2-1.3 Tags: security, patch Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for snoopy, which affects the embedded copy shipped by moodle [0]. CVE-2008-4796[1]: > The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 > and earlier allows remote attackers to execute arbitrary commands via > shell metacharacters in https URLs. NOTE: some of these details are > obtained from third party information. The patch for Snoopy.class.php can be found at [2]. However, it would be better if moodle just depended on libphp-snoopy (available in lenny) and the include/require calls changed to use the copy provided by that package, to avoid shipping yet another embedded code copy. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [0] usr/share/moodle/lib/snoopy/Snoopy.class.inc [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [2] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
