Package: tdiary Version: 2.1.4-5 Severity: critical Tags: security Justification: root security hole
Vulnerability has been reported in tDiary, which can be exploited by malicious people to run arbitary commands on web server. Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary code in a web server hosting the tDiary CGI. The vulnerability is reported in versions blow: - prior to 2.0.3 (Debian stable, testing and unstable) - prior to tDiary 2.1.4.20061127 (Debian experimental) An announcement from the upstream site is http://www.tdiary.org/20061210.html. (written in Japanese only) -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (990, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-1-686 Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP) Versions of packages tdiary depends on: ii libdpkg-ruby1.8 0.3.2 modules/classes for dpkg on ruby 1 ii libuconv-ruby1.8 0.4.12-2 Unicode/EUC-JP translation module ii rdtool 0.6.20-1 RD document formatter ii ruby 1.8.2-1 An interpreter of object-oriented Versions of packages tdiary recommends: ii tdiary-mode 2.0.3-1 tDiary editing mode for Emacsen -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
