Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-14 22:09:03 UTC

Now instead see bug #102576 

Comment 2 Thierry Carrez (RETIRED) 2005-08-21 08:33:43 UTC

Nothing from upstream yet.

Comment 3 Stuart Herbert (RETIRED) 2005-08-23 00:42:15 UTC

Hi,

xoops doesn't use either of the XML-RPC libraries that are known to be
vulnerable to bug #102576.  Do you have any further information on how and why
xoops is vulnerable?

Thanks,
Stu

Comment 4 Thierry Carrez (RETIRED) 2005-08-23 00:55:24 UTC

I guess our supposition was based on the fact that xoops was reported as
vulnerable to the previous XML-RPC vulnerability (see bug 101899). You can close
the bug as INVALID if you confirm that it doesn't contain an affected lib.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-23 01:01:15 UTC

I opened new xmlrpc bugs for all packages affected by last round. So no 
specific evidence for xoops. 

Comment 6 Stuart Herbert (RETIRED) 2005-08-23 05:45:55 UTC

xoops uses its own XMLRPC library, which doesn't use eval() in the process.

Closing bug as invalid.  If any more information comes to light, please re-
open this bug.

Best regards,
Stu