Insufficient param handling in tiki-graph_formula.php. Exploit: http://milw0rm.com/exploits/4509
1.9.8.1 is in the tree. target: ppc stable
ppc stable
thanks tobias. removed insecure version. webapps is done here.
glsa request filed.
Tobias, seems you forgot to actually add the ppc keywords: 12 Oct 2007; Tobias Scherbaum <dertobi123@gentoo.org> ChangeLog: ppc stable, bug #195503
(In reply to comment #5) > Tobias, seems you forgot to actually add the ppc keywords: > > 12 Oct 2007; Tobias Scherbaum <dertobi123@gentoo.org> ChangeLog: > ppc stable, bug #195503 > oopsie ;) now for real: ppc stable
*** Bug 196329 has been marked as a duplicate of this bug. ***
Perhaps the GLSA request should be filed again. My server was rooted due to this vuln. Not happy.
GLSA 200710-21 is out. Hint: never use risky web-apps unless in an isolated environment like chroot or virtual machines.
Hi, Stefen Esser warned tikiwiki upstream that they haven't totally fixed CVE-2007-5423 impact. Patch is here: http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-graph_formula.php?r1=1.5&r2=1.6 Announcement is here: http://info.tikiwiki.org/tiki-read_article.php?articleId=15 web-app could you have a look, please?
And it seems that more security issues were fixed in 1.9.8.2, i have no other info.
+2007-10-23 01:18 mose + * tiki-imexport_languages.php: [FIX] security: added tests to the + language filename var to avoid arbitrary inclusion + -> file inclusion +2007-10-23 01:08 mose + * db/tiki-db.php: [FIX] security: added some checks on local.php + file to avoid arbitrary inclusion -> file inclusion + +2007-10-23 00:58 mose + * lib/tikilib.php: [FIX] wiki images: added a test to avoid js + comes into img src -> XSS + +2007-10-23 00:46 mose + * templates/tiki-remind_password.tpl: [FIX] security: escape error + message in remind_password to avoid possible abuse + -> disclosure of information + Stefan Esser's fix (code injection), without ChangeLog entry.
1.9.8.2 is in the tree. Targets: ppc
one again: ppc stable
filed.
The release should be upgraded to 1.9.8.3 as it correct a bug introduced in 1.9.8.2
(In reply to comment #16) > The release should be upgraded to 1.9.8.3 as it correct a bug introduced in > 1.9.8.2 Gunnar, your call.
(In reply to comment #17) > (In reply to comment #16) > > The release should be upgraded to 1.9.8.3 as it correct a bug introduced in > > 1.9.8.2 > > Gunnar, your call. > *sigh* ... what about just dropping the ppc stable keyword?
1.9.8.3 in the tree. Traget: ppc - you may of course also decide to drop the keyword ;) ... I don't consider tikiwiki a particularly well crafted piece of software
whatever, once again: ppc stable - next time i'll drop the stable-keyword.
Thanks, removed insecure versions. webapps done
GlSA 200711-19