Hello, Take a look on contrib/miastoplusa/mpl.sh 9 cat >/tmp/request1 << __ENDME__ 27 cat >/tmp/request2 <<__ENDME2__ 48 nc www.miastoplusa.pl 80 < /tmp/request1 54 nc www.miastoplusa.pl 80 < /tmp/request2 This contrib file is installed by portage >>> /usr/share/doc/sms-1.9.2m/contrib/miastoplusa/mpl.sh Regards.
confirmed, although very low risk..it's only installed in docdir, and seems to be for a polish telecom website. suggest adding set -C before , and rm -f after.
Eric, please tell us when upstream is aware.
Hello, Upstream notified. Regards.
Hello, Response from upstream : It's very old version. It was released almost year ago - 21st august 2004. Current version - 2.0.3 does not contain vulnerable file. REgards.
According to upstream, 2.0.3 does not include the vulnerable file. We should probably mark stable this version and call it a day. dragonheart / tester : please bump 2.0.3 to x86 stable We'll wait for public disclosure to open this one.
Jeremy - any objectsion to x86 and ppc for dev-libs/pcre++? works for me (on both)? RDEPEND.bad 2 app-mobilephone/sms/sms-2.0.3.ebuild: ppc(default-linux/ppc/2005.0) ['dev-libs/pcre++'] app-mobilephone/sms/sms-2.0.3.ebuild: x86(default-linux/x86/2005.0) ['dev-libs/pcre++']
Leaked by Secunia, SA16038
Jeremy - I took a risk an just made pcre++ stable - no outstanding bugs in a year. sms<=1.9.2m removed and 2.0.3 ppc and x86 stable.
Voting for GLSA. This is a contrib script, not in path -> I vote NO
agreed, NO.
Reopen if you disagree
