On Sun, May 13, 2012 at 06:04:03PM +0100, Steve McIntyre wrote:
> On Tue, Mar 08, 2011 at 10:37:13PM +0100, Moritz Muehlenhoff wrote:
> >On Tue, Mar 08, 2011 at 02:02:31PM +0100, Hector Romojaro wrote:
> >> Hi,
> >>
> >> About openacs and dotlrn packages, I don't think they are affected by
> >> any of the Xinha vulnerabilities [1][2][3]. The summary says:
> >>
> >> "Xinha ships with several plugins that utilize PHP scripting for special
> >> usage, like the ImageManager or ExtendedFileManager. A 0-day security
> >> exploit has been reported available as of today that exploits the
> >> functionality of these plugins to upload malicious files to your
> >> webspace, to execute foreign code." [4]
> >>
> >> It seems a PHP problem, and the proposed fix is just to remove a bunch
> >> of php files, so I guess the packages are safe because they don't use
> >> PHP at all, as well as the aolserver package. There is no way to execute
> >> that PHP code on openacs or dotlrn.
> >>
> >> [1] http://security-tracker.debian.org/tracker/CVE-2011-1133
> >> [2] http://security-tracker.debian.org/tracker/CVE-2011-1134
> >> [3] http://security-tracker.debian.org/tracker/CVE-2011-1135
> >> [4]
> >> http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
> >
> >Thanks, I've updated the security tracker.
>
> So... does this bug still need to be grave?
>
> Looking at other bugs and security tracker issues in serendipity, I'd
> be tempted to remove it from Debian anyway...
I suggested the same some time ago and Thijs (added to CC) said that
removing it from testing would be the first step (which we did back
then).
Thijs, what's your take on dropping s9y for Wheezy?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
