Summary: | www-apps/tikiwiki: 1.9.4 Arbitrary command execution and XSS (CVE-2006-{4299|4602}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Raphael Marichez (Falco) (RETIRED) <falco> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1? [glsa+] Falco | ||
Package list: | Runtime testing required: | --- |
Description
Raphael Marichez (Falco) (RETIRED)
2006-08-31 07:54:49 UTC
file-upload-vulnerability++ http://secunia.com/advisories/21733/ 1.9.4 is affected. should be fixed in -r2 Renat, does 1.9.5 fix this issue ? please comment on the bug next time. 1.9.5 fixes this and has been committed: 12 Sep 2006; Renat Lumpau <rl03@gentoo.org> +tikiwiki-1.9.5.ebuild: sorry folks, that's what i had intended with comment #2 , except not -r2 but 1.9.5 . i'll be more careful next time Thx Renat and sorry for the confusion. PPC please test and mark stable. Target keywords are: tikiwiki-1.9.5.ebuild:KEYWORDS="~amd64 ppc ~sparc ~x86" ppc stable I tend to vote NO. Hm, since it seems to be on the same level as the recent DokuWiki vulnerability I'd say it's more B1 than enything else?! This has nothing to do with the recent DokuWiki vulnerability. This one allows injection of web script (javascript) in the context of the victims browswer. Maybe I was mislead by Falco's link ... ehr <swirl> ... if we're still talking 1.9.4 ... isn't that one valid? No I was mislead by an outdated Summary/Status. /me blames falco. Lets have the GLSA. I would vote YES. GLSA drafted, security please review. GLSA 200609-16 |