PEAR-Auth didn't correctly validate data passed to the DB and LDAP backend containers, this was fixed in PEAR-Auth-1.2.4, wich is now in the tree. Please contact the archs about stabling dev-php/PEAR-Auth-1.2.4. Best regards, CHTEKK.
thx for bumping. Arches, please test and mark stable, thx in advance.
forgot to acutally CC arches, thx to CHTEKK for the headsup ..
stable on ppc64
SPARC'd
While trying to test this, it looks like half of the dependencies for it aren't even in the tree. The only thing that seems to work is the DB stuff. The package.xml file says the dependencies are all optional, but we install all of the files, so all of them should work. <dep type="pkg" rel="ge" version="0.9.5" optional="yes">File_Passwd</dep> <dep type="pkg" rel="ge" version="1.3" optional="yes">Net_POP3</dep> <dep type="pkg" rel="has" optional="yes">DB</dep> <dep type="pkg" rel="has" optional="yes">MDB</dep> <dep type="pkg" rel="has" optional="yes">Auth_RADIUS</dep> <dep type="pkg" rel="has" optional="yes">File_SMBPasswd</dep>
I'll add the dependencies to the tree.
dev-php/PEAR-MDB2, dev-php/PEAR-Crypt_CHAP, dev-php/PEAR-File_Passwd, and PEAR-File_SMBPasswd are in the tree now. I did not add dev-php/PEAR-Auth_RADIUS yet because that PEAR package depends on a PECL extension that is not in the tree yet.
They still aren't dependencies of PEAR-Auth, and if the radius stuff isn't going to work, you shouldn't install those files, in my opinion.
When a PEAR package marks one of its dependencies as optional it has to check whether or not the optionally used package is installed and only expose the functionality that depends on it if it is. Or did you mean something else?
Marked hppa stable.
(In reply to comment #9) > When a PEAR package marks one of its dependencies as optional it has to check > whether or not the optionally used package is installed and only expose the > functionality that depends on it if it is. If I install the package right now, I can't use all of the features that come with it since dependencies are missing. I'm complaining about this because I'm not sure how I ever marked it stable in its current state since most of it doesn't seem to work. I guess it is not a regression, so I'll mark it stable, but I'd like to see this problem addressed in the near future.
amd64 stable
Alpha, please test and mark stable
Alpha done, sorry for the delay. Cheers, Ferdy
Ready for GLSA vote
Injection attacks against the underlying storage containers, I vote yes.
Yes++
Ready for GLSA (one more)
GLSA 200603-13 Thanks everybody.