Your message dated Fri, 28 Nov 2008 11:35:54 GMT
with message-id <[EMAIL PROTECTED]>
and subject line opendb has been removed from Debian, closing #504173
has caused the Debian Bug report #504173,
regarding CVE-2008-4796: missing input sanitising in Snoopy.class.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504173: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504173
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: opendb
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for opendb.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
The libphp-snoopy package even ships a newer version of Snoopy.class.php.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Also, since the package is in stable (etch), I'd like to know in which way
the php library is invoked and how vulnerable to attacks the stable
version is. If it is severe enough, we should prepare a DSA, otherwise
an update could go through s-p-u.
Thanks for your work on opendb
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
--- End Message ---
--- Begin Message ---
Version: 0.81p20-1.5+rm
The opendb package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/505728 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
http://Marco.Tondela.org
--- End Message ---
