see bug #102324
Now instead see bug #102576
Nothing from upstream yet.
Hi, xoops doesn't use either of the XML-RPC libraries that are known to be vulnerable to bug #102576. Do you have any further information on how and why xoops is vulnerable? Thanks, Stu
I guess our supposition was based on the fact that xoops was reported as vulnerable to the previous XML-RPC vulnerability (see bug 101899). You can close the bug as INVALID if you confirm that it doesn't contain an affected lib.
I opened new xmlrpc bugs for all packages affected by last round. So no specific evidence for xoops.
xoops uses its own XMLRPC library, which doesn't use eval() in the process. Closing bug as invalid. If any more information comes to light, please re- open this bug. Best regards, Stu