Moritz Muehlenhoff wrote: > Package: oops > Severity: grave > Tags: security patch sid woody > Justification: user security hole > > [Cc:ing security@, should affect woody as well]
It does. > A format string vulnerability in the auth() function for SQL database > user handling possibly permits execution of arbitrary code. For full > details please see: http://rst.void.ru/papers/advisory24.txt > > The advisory contains an obviously correct patch. Package is not > part of Sarge due to long-standing portability problems. This is ====================================================== Candidate: CAN-2005-1121 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1121 Reference: MISC:http://rst.void.ru/papers/advisory24.txt Reference: BID:13172 Reference: URL:http://www.securityfocus.com/bid/13172 Reference: GENTOO:GLSA-200505-02 Reference: URL:http://security.gentoo.org/glsa/glsa-200505-02.xml Reference: XF:oops-format-string(20191) Reference: URL:http://xforce.iss.net/xforce/xfdb/20191 Format string vulnerability in the my_xlog function in lib.c for Oops! Proxy Server 1.5.23 and earlier, as called by the auth functions in the passwd_mysql and passwd_pgsql modules, may allow attackers to execute arbitrary code via a URL. Please . update the package in sid . mention the CVE id from above in the changelog . tell me the version number of the fixed package . use priority=high Regards, Joey -- If nothing changes, everything will remain the same. -- Barne's Law Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
