Your message dated Tue, 04 Nov 2008 00:02:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504170: fixed in mahara 1.0.4-3
has caused the Debian Bug report #504170,
regarding CVE-2008-4796: missing input sanitising in Snoopy.class.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504170: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504170
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mahara
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mahara.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
>From what I can see you have two small patches in your copy of
Snoopy.class.php. However, if I am not mistaken, both could probably
go into the libphp-snoopy package, so please talk to the maintainer,
if you really depend on them.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
--- End Message ---
--- Begin Message ---
Source: mahara
Source-Version: 1.0.4-3
We believe that the bug you reported is fixed in the latest version of
mahara, which is due to be installed in the Debian FTP archive:
mahara-apache2_1.0.4-3_all.deb
to pool/main/m/mahara/mahara-apache2_1.0.4-3_all.deb
mahara_1.0.4-3.diff.gz
to pool/main/m/mahara/mahara_1.0.4-3.diff.gz
mahara_1.0.4-3.dsc
to pool/main/m/mahara/mahara_1.0.4-3.dsc
mahara_1.0.4-3_all.deb
to pool/main/m/mahara/mahara_1.0.4-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francois Marier <[EMAIL PROTECTED]> (supplier of updated mahara package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 04 Nov 2008 12:46:14 +1300
Source: mahara
Binary: mahara mahara-apache2
Architecture: source all
Version: 1.0.4-3
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Mahara Debian Packaging Team <[EMAIL PROTECTED]>
Changed-By: Francois Marier <[EMAIL PROTECTED]>
Description:
mahara - Electronic portfolio, weblog, and resume builder
mahara-apache2 - Electronic portfolio, weblog, and resume builder - apache2
config
Closes: 504170 504253
Changes:
mahara (1.0.4-3) testing-proposed-updates; urgency=high
.
* Depend on libphp-snoopy instead of using the embedded copy shipped
with Mahara (CVE-2008-4796, closes: #504170)
* Backport upstream's patch (41189c30d198153dc66dc867e160dab948929458)
to phpmailer (CVE-2007-3125, closes: #504253)
Checksums-Sha1:
711eaa4681b45c19c2a8b678cacab3743ed58c19 1267 mahara_1.0.4-3.dsc
4f7090ac0df79baca0649c1b950a470e7aa92706 34603 mahara_1.0.4-3.diff.gz
5a646747ed10fa21ce1663536624e43d0993c51e 1636654 mahara_1.0.4-3_all.deb
1a3c91ea693ec52c23e8ebcd89c33fbfdcec1f35 7562 mahara-apache2_1.0.4-3_all.deb
Checksums-Sha256:
1403fb7504238391094fe9dbebc9b7273fa6e06003505588d7e8078885fa5c15 1267
mahara_1.0.4-3.dsc
dcbecd28f4ee4cde653184809f9577774d43f6e85b6fb23342cfba9aa3e770fa 34603
mahara_1.0.4-3.diff.gz
58a3c1b2c7f70709e802c3c19401bdc5d255c471fb0cf6511671c2f357b67935 1636654
mahara_1.0.4-3_all.deb
88c9b2ae34170964981b7d127e32558666a91dabf11ea110ceb723a43ff3229d 7562
mahara-apache2_1.0.4-3_all.deb
Files:
0d28aecc87e2a5059a1044bb185640ff 1267 web optional mahara_1.0.4-3.dsc
1e25cc36c4db5aaea49b5148a5f2c7ff 34603 web optional mahara_1.0.4-3.diff.gz
022fdec2b5a2a9b4c09fd2cf661f27d4 1636654 web optional mahara_1.0.4-3_all.deb
f5cba4d762157f9784fdc2472c17e101 7562 web optional
mahara-apache2_1.0.4-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkPjZoACgkQScUZKBnQNIa6YwCgiiYH+Lc0GcCxNc0sOdlhzqBJ
O58Ani7ecAuJ5bgXy+WuY9/B4MZItB38
=ECBy
-----END PGP SIGNATURE-----
--- End Message ---
