Comment 1 Raphael Marichez (Falco) (RETIRED) 2006-06-29 04:18:38 UTC

* setting to trivial since there is no stable ebuild
* B3 since there is SQL injection
* it's fixed in CVS but i suggest to wait for the next official release

[1] concerns the XSS issue against 1.4.8
[2] concerns the SQL injection issue against 1.4.8

[1] http://myimei.com/security/2006-06-20/coppermine-148parameter-cleanup-system-bypassregistering-global-varables.html
[2] http://myimei.com/security/2006-06-11/copperminephotogallery148-addhit-function-sqlinjection-attack.html

Comment 2 Thierry Carrez (RETIRED) 2006-07-29 05:55:40 UTC

Setting to upstream then, waiting for 1.4.9

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-05 06:12:03 UTC

This is fixed in 1.4.9.

web-apps please bump.

2006-06-23 [S] Fixed the security flaw in parameter cleanup system reported by imei addmimistrator @ http://myimei.com/security/2006-06-20/coppermine-148parameter-cleanup-system-bypassregistering-global-varables.html  (addmimistrator(4}gmail(O}com) {Aditya}
2006-06-23 [S] Fixed the security flaw in add_hit function reported by imei addmimistrator @ http://myimei.com/security/2006-06-11/copperminephotogallery148-addhit-function-sqlinjection-attack.html  (addmimistrator(4}gmail(O}com) {Aditya}

Comment 4 Stuart Herbert (RETIRED) 2006-09-05 13:01:22 UTC

I'm looking at this now.

Best regards,
Stu

Comment 5 Stuart Herbert (RETIRED) 2006-09-05 13:13:55 UTC

Hi,

coppermine-1.4.9 is in the tree.  Keywords are ~sparc and ~x86, same as the last version.

Best regards,
Stu

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-05 21:11:42 UTC

Thx Stuart.

Since this is ~ I'll close without GLSA.