On Tue, Dec 09, 2008 at 02:21:30PM +0100, Olivier Berger wrote: > Here's a proposed patch for stable too. > > Regards, > -------- Message transféré -------- > De: Olivier Berger <olivier.ber...@it-sudparis.eu> > À: sve...@ozemail.com.au > Cc: secur...@debian.org > Sujet: Re: Proposed NMU -> twiki-4.0.5-9.1etch2 - Re: [Fwd: > [TWiki-Announce] Security Alert -CVE-2008-5305: TWiki SEARCH variable > allows arbitrary shell command execution] > Date: Thu, 04 Dec 2008 14:42:25 +0100 > > Hi. > > Again, same for etch's version. > > See proposed twiki_4.0.5-9.1etch2.diff.gz and it's corresponding > interdiff_4.0.5-9.1etch1_4.0.5-9.1etch2 > > Note that both NMU proposals were untested. Only the packages seem to > build fine.
I just wanted to draw the security team's attention to this bug, since it's an remote arbitrary code execution issue publically known about (including proof of concept exploit) since 2008-12-05 for which there is a trivial (four line) fix. I recommend uploading a fixed package for etch ASAP. I'm not a regular user of twiki although I have it installed on my server, and have manually deployed the fix without any complaints from users. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
