*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
Binary package hint: syscp Affected releases: lucid, maverick, natty According to [1], all syscp 1.4.x versions under 1.4.2.2 are affected by two security vulnerabilities: * handling of open_basedir paths: Customers are able to add whatever path they want via the documentroot of a domain by appending a colon to it and setting the open basedir path to use that domain documentroot, not the customer root. * problem in safe_exec executing unwanted commands Since the Ubuntu package changelog (copy Debian's one please ;) does not specify the date, I believe the current package is vulnerable against those 2 issues. Debian version is as well, although the vuln is not reported either [2]. Would be nice to inform them :) Patch has been issued by developpers of the software at [1]. [1] http://www.syscp-forum.org/index.php?topic=4981.0 [2] http://packages.debian.org/changelogs/pool/main/s/syscp/syscp_1.4.2.1-2.1/changelog ** Affects: syscp (Ubuntu) Importance: Undecided Status: New ** Tags: security syscp -- 2 unpatched security vulnerabilities https://bugs.edge.launchpad.net/bugs/693196 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
