On Tue, Mar 08, 2011 at 10:37:13PM +0100, Moritz Muehlenhoff wrote: >On Tue, Mar 08, 2011 at 02:02:31PM +0100, Hector Romojaro wrote: >> Hi, >> >> About openacs and dotlrn packages, I don't think they are affected by >> any of the Xinha vulnerabilities [1][2][3]. The summary says: >> >> "Xinha ships with several plugins that utilize PHP scripting for special >> usage, like the ImageManager or ExtendedFileManager. A 0-day security >> exploit has been reported available as of today that exploits the >> functionality of these plugins to upload malicious files to your >> webspace, to execute foreign code." [4] >> >> It seems a PHP problem, and the proposed fix is just to remove a bunch >> of php files, so I guess the packages are safe because they don't use >> PHP at all, as well as the aolserver package. There is no way to execute >> that PHP code on openacs or dotlrn. >> >> [1] http://security-tracker.debian.org/tracker/CVE-2011-1133 >> [2] http://security-tracker.debian.org/tracker/CVE-2011-1134 >> [3] http://security-tracker.debian.org/tracker/CVE-2011-1135 >> [4] >> http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html > >Thanks, I've updated the security tracker.
So... does this bug still need to be grave? Looking at other bugs and security tracker issues in serendipity, I'd be tempted to remove it from Debian anyway... -- Steve McIntyre, Cambridge, UK. st...@einval.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
