http://www.incogen.com/index.php?type=General¶m=bugport 10/01/2004 A new version (1.134) was released with a very important, security-related bug fix. It is highly recommended that all BugPort user's upgrade, especially if you allow non-trusted users to login to your BugPort site. Thanks to Eduardo Correia for discovering the bug! Update Note: to upgrade and keep your existing config.php file, you will need to add a new $attachmentDirectory variable to the config.php file. See the sample config.php file included in the tar file as an example. You will then need to move all dirs/files from your existing bugport/files/ directory into your new attachments directory. __________________________________________ Secunia advisory 12730 can be found at http://secunia.com/advisories/12730/ __________________________________________ current KEYWORDS="~x86 ~ppc" so no GLSA needed jmglov pls bump the ebuild to 1.134, thanks
xforce advisory @ http://xforce.iss.net/xforce/xfdb/17587
web-apps, haven't heard anything of jmglov, could one of you please look into this and bump the ebuild
changed to ebuild+ since this bug is open for four days without any reaction now wep-apps/jmglov, pls bump the ebuild
I've started looking at it. bugport-1.135 doesn't seem to work out of the box, which isn't helping matters. Best regards, Stu
1.136 seems to be out now too any progress on the new ebuild? _____ The vulnerability seems to be somewhere in the handling of attached files. http://securitytracker.com/alerts/2004/Oct/1011543.html http://www.osvdb.org/10482
This version doesn't work out of the box either. If no-one complains, I'm happy to mask this package. Best regards, Stu
hard-masked in portage.
Markus: any success in your webapp-config learning ? Please let us know if you still want to handle this package, for example by putting yourself in the metadata.xml file :)
Alright, enough testing. Submitted the newest version, removed the old one and the package mask. I also added a metadata stating me as maintainer.
err, security bug. Close after GLSA is send out.
~arch masked, so no need for GLSA thanks for taking this Markus no GLSA needed, metadata.xml uptodate and vulnerable version removed -> closing