Bug#585163: marked as done (CVE-2010-1916: security issue in Xinha)

Thu, 10 Jun 2010 05:42:24 -0700 

Your message dated Thu, 10 Jun 2010 14:28:43 +0200
with message-id <1276172923.6343.64.ca...@bulma>
and subject line Re: Bug#585163: CVE-2010-1916: security issue in Xinha
has caused the Debian Bug report #585163,
regarding CVE-2010-1916: security issue in Xinha
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
585163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openacs
Severity: grave
Tags: security

Hi,
openacs includes a copy of xinha, for which the following security
issue was reported:

http://php-security.org/2010/05/10/mops-2010-019-serendipity-wysiwyg-editor-plugin-configuration-injection-vulnerability/index.h+tml
http://xinha.webfactional.com/ticket/1518

Please check if openacs's code copy is affected and update the internal
copy in necessary.

There's already an ITP for xinha (Bug 479708) and since four packages
currently in the archive use xinha (openacs, Horde, serendipity and
dotlrn) it would be nice if we could migrate to a single package
for Squeeze.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

--- End Message ---
--- Begin Message --- 
Hi,

Thanks for the bug report, Moritz.

It looks like the problem is on the php function
xinha_read_passed_data(), which is used by some plugins (ImageManager,
ExtendedFileManager, etc...). The files fixed are php-xinha.php and the
config.inc.php of the affected plugins.

The xinha PHP interface is not used by OpenACS/dotLRN (they don't use
PHP at all), I think we can safely close the bug.

Regards, Héctor

--- End Message ---

Reply via email to