Your message dated Sun, 02 Nov 2008 10:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504169: fixed in ampache 3.4.1-2
has caused the Debian Bug report #504169,
regarding CVE-2008-4796: missing input sanitising in Snoopy.class.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504169: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504169
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ampache
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ampache.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
--- End Message ---
--- Begin Message ---
Source: ampache
Source-Version: 3.4.1-2
We believe that the bug you reported is fixed in the latest version of
ampache, which is due to be installed in the Debian FTP archive:
ampache_3.4.1-2.diff.gz
to pool/main/a/ampache/ampache_3.4.1-2.diff.gz
ampache_3.4.1-2.dsc
to pool/main/a/ampache/ampache_3.4.1-2.dsc
ampache_3.4.1-2_all.deb
to pool/main/a/ampache/ampache_3.4.1-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Charlie Smotherman <[EMAIL PROTECTED]> (supplier of updated ampache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 01 Nov 2008 13:47:43 -0500
Source: ampache
Binary: ampache
Architecture: source all
Version: 3.4.1-2
Distribution: unstable
Urgency: low
Maintainer: Charlie Smotherman <[EMAIL PROTECTED]>
Changed-By: Charlie Smotherman <[EMAIL PROTECTED]>
Description:
ampache - web-based audio file management system
Closes: 496369 504169
Changes:
ampache (3.4.1-2) unstable; urgency=low
.
* Made package to depend on libjs-prototype to correct a lintian error of
"courtousy copies of code". Adjusted debian/control, debian/rules,
debian/links, postinst, postrm to reflect this dependency.
* Made package to depend on libphp-snoopy due to CVE-2008-4796. Adjusted
debian/control, debian/rules, debian/links, postinst, postrm to reflect
this dependency. Closes: #504169
* Removed /usr/share/ampache/www/locale/base/gather-messages.sh from
package
to close a potential security hole. Closes: #496369
Checksums-Sha1:
cfff5618783b365b02dba631f52a59905e2f4240 986 ampache_3.4.1-2.dsc
7c2a4aa5101a91ff198f5453762896bfcb260840 15090 ampache_3.4.1-2.diff.gz
5da0c5ede3e1f8a9013c308c787669e1a96970e3 1329464 ampache_3.4.1-2_all.deb
Checksums-Sha256:
ca95ac1ed22e5c5b1d5c6f48cc2de14cf1e6d6e7c1cba9a209a502a47a0a2234 986
ampache_3.4.1-2.dsc
b14c3c01f957f2dfe10541e18ebdd76d23bc1473f0dd26e76a458c9504a1f595 15090
ampache_3.4.1-2.diff.gz
e3a17c8fc9cb11a80b5da5fc3aeeed45c0c6f3d8d405a778490a954644faeafe 1329464
ampache_3.4.1-2_all.deb
Files:
b8bc62045116145a8fd722d0a8bbfcbe 986 web optional ampache_3.4.1-2.dsc
9efd757cc5132e0630e5afcd4258e33c 15090 web optional ampache_3.4.1-2.diff.gz
fc90f8a1e35e45117de09b7586b8002c 1329464 web optional ampache_3.4.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkNg7YACgkQ62zWxYk/rQfl3gCgg8/JlBw2LOM7jvKIIhZ1E3uK
hM8AnRmKJNjcZgP+LQkcdBEgVt0oDS35
=foBo
-----END PGP SIGNATURE-----
--- End Message ---
