Your message dated Mon, 03 Nov 2008 06:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504170: fixed in mahara 1.0.5-2
has caused the Debian Bug report #504170,
regarding CVE-2008-4796: missing input sanitising in Snoopy.class.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504170: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504170
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mahara
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mahara.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
>From what I can see you have two small patches in your copy of
Snoopy.class.php. However, if I am not mistaken, both could probably
go into the libphp-snoopy package, so please talk to the maintainer,
if you really depend on them.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
--- End Message ---
--- Begin Message ---
Source: mahara
Source-Version: 1.0.5-2
We believe that the bug you reported is fixed in the latest version of
mahara, which is due to be installed in the Debian FTP archive:
mahara-apache2_1.0.5-2_all.deb
to pool/main/m/mahara/mahara-apache2_1.0.5-2_all.deb
mahara_1.0.5-2.diff.gz
to pool/main/m/mahara/mahara_1.0.5-2.diff.gz
mahara_1.0.5-2.dsc
to pool/main/m/mahara/mahara_1.0.5-2.dsc
mahara_1.0.5-2_all.deb
to pool/main/m/mahara/mahara_1.0.5-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <[EMAIL PROTECTED]> (supplier of updated mahara package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 03 Nov 2008 19:16:44 +1300
Source: mahara
Binary: mahara mahara-apache2
Architecture: source all
Version: 1.0.5-2
Distribution: unstable
Urgency: high
Maintainer: Mahara Debian Packaging Team <[EMAIL PROTECTED]>
Changed-By: Francois Marier <[EMAIL PROTECTED]>
Description:
mahara - Electronic portfolio, weblog, and resume builder
mahara-apache2 - Electronic portfolio, weblog, and resume builder - apache2
config
Closes: 504170 504253
Changes:
mahara (1.0.5-2) unstable; urgency=high
.
* Depend on libphp-snoopy instead of using the embedded copy shipped
with Mahara (CVE-2008-4796, closes: #504170)
* Backport upstream's patch (41189c30d198153dc66dc867e160dab948929458)
to phpmailer (CVE-2007-3125, closes: #504253)
* Add lintian overrides for the customised embedded libraries
Checksums-Sha1:
757a1ca7f61fca950b85cd4fdfdac0a0f1de8ef0 1268 mahara_1.0.5-2.dsc
aff1ab7f2de9d525c24ad61aa3dee407ae9c630f 20539 mahara_1.0.5-2.diff.gz
9d4a8538562fa4e483ff888272e26d568a5fb060 1645452 mahara_1.0.5-2_all.deb
179be3fc806652977f19d5ad57c28a737f8df9c4 7634 mahara-apache2_1.0.5-2_all.deb
Checksums-Sha256:
441a09bb8b007844c0d1f5af06fd14b7b2ecc1f3542ae22027dff8e0ac1e6912 1268
mahara_1.0.5-2.dsc
3c5a8e7b4d378a6415b230fa1d1f025e3b282cb1515365b83c6168bb07ef9db3 20539
mahara_1.0.5-2.diff.gz
40e3f8ca0c316e1632fd0d226ac60d8bb23ee0ca8f5847c1028805ed3792724c 1645452
mahara_1.0.5-2_all.deb
a44b4e51082c806b6b8b1f83c3ee28705b2d347a3daf0c19e7549cbc521b883a 7634
mahara-apache2_1.0.5-2_all.deb
Files:
c7a7f95535f13ee941a52e0e82bd955c 1268 web optional mahara_1.0.5-2.dsc
192a9892fb63aa9bf95df2bf3198a18f 20539 web optional mahara_1.0.5-2.diff.gz
73e62499e2278f568c9bd463de380846 1645452 web optional mahara_1.0.5-2_all.deb
cbdd97c84df0319bf6f0751959286dc9 7634 web optional
mahara-apache2_1.0.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkOl7kACgkQScUZKBnQNIYSsgCghtKUtytolAorfgNNwDExh/8F
b/QAn2lctj2jlYRkF0+Uf/dVVdzGYks5
=40Q7
-----END PGP SIGNATURE-----
--- End Message ---
