Bug 195503

Comment 1 Gunnar Wrobel (RETIRED) 2007-10-12 12:36:33 UTC

1.9.8.1 is in the tree.

target: ppc stable

Comment 2 Tobias Scherbaum (RETIRED) 2007-10-12 16:04:47 UTC

ppc stable

Comment 3 Gunnar Wrobel (RETIRED) 2007-10-13 08:06:46 UTC

thanks tobias. removed insecure version. webapps is done here.

Comment 4 Pierre-Yves Rofes (RETIRED) 2007-10-13 13:09:39 UTC

glsa request filed.

Comment 5 Robert Buchholz (RETIRED) 2007-10-17 22:00:41 UTC

Tobias, seems you forgot to actually add the ppc keywords:

  12 Oct 2007; Tobias Scherbaum <dertobi123@gentoo.org> ChangeLog:
  ppc stable, bug #195503

Comment 6 Tobias Scherbaum (RETIRED) 2007-10-18 16:44:02 UTC

(In reply to comment #5)
> Tobias, seems you forgot to actually add the ppc keywords:
> 
>   12 Oct 2007; Tobias Scherbaum <dertobi123@gentoo.org> ChangeLog:
>   ppc stable, bug #195503
> 

oopsie ;) now for real: ppc stable

Comment 7 Jakub Moc (RETIRED) 2007-10-18 21:20:16 UTC

*** Bug 196329 has been marked as a duplicate of this bug. ***

Perhaps the GLSA request should be filed again. My server was rooted due to this vuln. Not happy.

Comment 9 Raphael Marichez (Falco) (RETIRED) 2007-10-20 20:51:18 UTC

GLSA 200710-21 is out.

Hint: never use risky web-apps unless in an isolated environment like chroot or virtual machines.

Comment 10 Raphael Marichez (Falco) (RETIRED) 2007-10-26 12:26:25 UTC

Hi,

Stefen Esser warned tikiwiki upstream that they haven't totally fixed CVE-2007-5423 impact.

Patch is here:
http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-graph_formula.php?r1=1.5&r2=1.6

Announcement is here:
http://info.tikiwiki.org/tiki-read_article.php?articleId=15

web-app could you have a look, please?

Comment 11 Raphael Marichez (Falco) (RETIRED) 2007-10-26 12:31:00 UTC

And it seems that more security issues were fixed in 1.9.8.2, i have no other info.

Comment 12 Raphael Marichez (Falco) (RETIRED) 2007-10-26 12:36:35 UTC

+2007-10-23 01:18  mose 
+       * tiki-imexport_languages.php: [FIX] security: added tests to the 
+         language filename var to avoid arbitrary inclusion 
+ 

-> file inclusion

+2007-10-23 01:08  mose 
+       * db/tiki-db.php: [FIX] security: added some checks on local.php 
+         file to avoid arbitrary inclusion 

-> file inclusion

+ 
+2007-10-23 00:58  mose 
+       * lib/tikilib.php: [FIX] wiki images: added a test to avoid js 
+         comes into img src 

-> XSS

+ 

+2007-10-23 00:46  mose 
+       * templates/tiki-remind_password.tpl: [FIX] security: escape error 
+         message in remind_password to avoid possible abuse 
+ 

-> disclosure of information

+ Stefan Esser's fix (code injection), without ChangeLog entry.

Comment 13 Gunnar Wrobel (RETIRED) 2007-10-26 12:55:04 UTC

1.9.8.2 is in the tree.

Targets: ppc

Comment 14 Tobias Scherbaum (RETIRED) 2007-10-27 11:21:19 UTC

one again: ppc stable

Comment 15 Robert Buchholz (RETIRED) 2007-10-27 13:39:39 UTC

filed.

The release should be upgraded to 1.9.8.3 as it correct a bug introduced in 1.9.8.2

Comment 17 Robert Buchholz (RETIRED) 2007-10-27 16:54:06 UTC

(In reply to comment #16)
> The release should be upgraded to 1.9.8.3 as it correct a bug introduced in
> 1.9.8.2

Gunnar, your call.

Comment 18 Tobias Scherbaum (RETIRED) 2007-10-27 17:59:52 UTC

(In reply to comment #17)
> (In reply to comment #16)
> > The release should be upgraded to 1.9.8.3 as it correct a bug introduced in
> > 1.9.8.2
> 
> Gunnar, your call.
> 

*sigh* ... what about just dropping the ppc stable keyword?

Comment 19 Gunnar Wrobel (RETIRED) 2007-10-28 15:50:24 UTC

1.9.8.3 in the tree.

Traget: ppc - you may of course also decide to drop the keyword ;) ... I don't consider tikiwiki a particularly well crafted piece of software

Comment 20 Tobias Scherbaum (RETIRED) 2007-10-30 19:22:37 UTC

whatever, once again: ppc stable - next time i'll drop the stable-keyword.

Comment 21 Gunnar Wrobel (RETIRED) 2007-10-31 04:51:23 UTC

Thanks, removed insecure versions. webapps done

Comment 22 Pierre-Yves Rofes (RETIRED) 2007-11-14 22:02:01 UTC

GlSA 200711-19