Your message dated Mon, 03 Nov 2008 14:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504171: fixed in pixelpost 1.7.1-5
has caused the Debian Bug report #504171,
regarding CVE-2008-4796: missing input sanitising
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504171: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504171
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: pixelpost
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pixelpost.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
--- End Message ---
--- Begin Message ---
Source: pixelpost
Source-Version: 1.7.1-5
We believe that the bug you reported is fixed in the latest version of
pixelpost, which is due to be installed in the Debian FTP archive:
pixelpost_1.7.1-5.diff.gz
to pool/main/p/pixelpost/pixelpost_1.7.1-5.diff.gz
pixelpost_1.7.1-5.dsc
to pool/main/p/pixelpost/pixelpost_1.7.1-5.dsc
pixelpost_1.7.1-5_all.deb
to pool/main/p/pixelpost/pixelpost_1.7.1-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Luthi <[EMAIL PROTECTED]> (supplier of updated pixelpost package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 03 Nov 2008 15:07:55 +0100
Source: pixelpost
Binary: pixelpost
Architecture: source all
Version: 1.7.1-5
Distribution: unstable
Urgency: high
Maintainer: Xavier Luthi <[EMAIL PROTECTED]>
Changed-By: Xavier Luthi <[EMAIL PROTECTED]>
Description:
pixelpost - multi-lingual, fully extensible photoblog application
Closes: 504171
Changes:
pixelpost (1.7.1-5) unstable; urgency=high
.
* Use libphp-snoppy instead of own copy (thanks Evgeni Golov).
+ Closes: #504171
+ Fixes: CVE-2008-4796
Checksums-Sha1:
7b839b46b515884d3caf9f5c7bf6811bfd95b655 1036 pixelpost_1.7.1-5.dsc
d763a4add729addf2d0e97d6823ce3bfc3fa399b 13091 pixelpost_1.7.1-5.diff.gz
190114326bab8e720a01b21630f17e80114e04f6 560910 pixelpost_1.7.1-5_all.deb
Checksums-Sha256:
52d11aadf9e2c9d9b513512eccf98158d0f860d09d6ae7ba1a4c82c19511a05a 1036
pixelpost_1.7.1-5.dsc
704df287985e85d6410b62db0919ebf1d77cb5e5686ff9468fe8ca588036b232 13091
pixelpost_1.7.1-5.diff.gz
88017d84727527d1dc41344d5ca34e889376c8e571eb570d2ecdaf4866c19594 560910
pixelpost_1.7.1-5_all.deb
Files:
18bd5ebd729227f600dcd16daa50c5f8 1036 web optional pixelpost_1.7.1-5.dsc
e95c8f8b27da9449563cb31d6edcbf83 13091 web optional pixelpost_1.7.1-5.diff.gz
9fb7f27e9312e4c9234daac11ed9fc7d 560910 web optional pixelpost_1.7.1-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkPBfYACgkQgT/oOnSXSCQiagCePFHas9e5eHfW8iN9Pn7eKQn3
l4QAoI3n8GDY6Y7SNvzi8pcdVhKuIcu1
=4JP+
-----END PGP SIGNATURE-----
--- End Message ---
