Your message dated Fri, 30 Jul 2010 01:02:18 +0000
with message-id <e1oedzo-0004mj...@franck.debian.org>
and subject line Bug#582587: fixed in mydms 1.7.2+1.7.3-1.1
has caused the Debian Bug report #582587,
regarding mydms: Directory transversal and CSRF vulnerabilities discovered in
<= 1.7.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
582587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582587
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mydms
Severity: grave
Tags: security
Justification: user security hole
Hi,
some rather serious security vulnerabilities have been discovered in MyDMS <=
1.7.2.
One of them is directory transversal and the other several cross site request
forgeries.
More information is here:
https://www.sec-consult.com/files/20100115-0_mydms_file_inclusion.txt
Regards,
Pedro
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500,
'testing-proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.34-toi-a4dj (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: mydms
Source-Version: 1.7.2+1.7.3-1.1
We believe that the bug you reported is fixed in the latest version of
mydms, which is due to be installed in the Debian FTP archive:
mydms_1.7.2+1.7.3-1.1.diff.gz
to main/m/mydms/mydms_1.7.2+1.7.3-1.1.diff.gz
mydms_1.7.2+1.7.3-1.1.dsc
to main/m/mydms/mydms_1.7.2+1.7.3-1.1.dsc
mydms_1.7.2+1.7.3-1.1_all.deb
to main/m/mydms/mydms_1.7.2+1.7.3-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 582...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <j...@debian.org> (supplier of updated mydms package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Jul 2010 20:44:37 -0400
Source: mydms
Binary: mydms
Architecture: source all
Version: 1.7.2+1.7.3-1.1
Distribution: unstable
Urgency: medium
Maintainer: Miguel Gea Milvaques <xera...@debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
mydms - open-source document management system based on PHP and MySQL
Closes: 582587
Changes:
mydms (1.7.2+1.7.3-1.1) unstable; urgency=medium
.
* Fix CVE-2010-2006 (Closes: #582587)
Checksums-Sha1:
4c7c124fe089a49dd6c5f8599220a0c2dfd287fa 1032 mydms_1.7.2+1.7.3-1.1.dsc
f57be3bffb47e3a23c28f54738d3efc8b1da2d4f 118194 mydms_1.7.2+1.7.3-1.1.diff.gz
26e6e5d9168ebd1a7b0c6e2f2378bee81909a979 271818 mydms_1.7.2+1.7.3-1.1_all.deb
Checksums-Sha256:
638ca0b0f1a948b390059f21c572d3d380586ac79c63af212a0135d99fba73e4 1032
mydms_1.7.2+1.7.3-1.1.dsc
ff52cde49829cac60b86df54bb01b2a5348cfc33950b76ceb3b4c0b7ec497717 118194
mydms_1.7.2+1.7.3-1.1.diff.gz
4b0e98582dae83f7c5c6697cf023f431f607b7af9f2636c1ec855a8fd6d03d9c 271818
mydms_1.7.2+1.7.3-1.1_all.deb
Files:
0072319542f69e4a79f8faa6823a9588 1032 web optional mydms_1.7.2+1.7.3-1.1.dsc
c4a33760732dca32f36067680e413bad 118194 web optional
mydms_1.7.2+1.7.3-1.1.diff.gz
4d298c773275abbb60ece4a9e5302dd6 271818 web optional
mydms_1.7.2+1.7.3-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxSIL0ACgkQXm3vHE4uylrT0ACfd5zipI0zQtwBXgOUyTPT95ZR
br8AniFDYzJXP6+5gZ1Sha2Af55qRhjN
=A2EJ
-----END PGP SIGNATURE-----
--- End Message ---
