| Summary: | <www-apps/tikiwiki-2.0 affected by bundled smarty and other unspecified issues (CVE-2008-{1066,3653,3654}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Hanno Böck
2008-03-13 23:15:44 UTC
Thanks for the report. tikiwiki-1.9.11 is in the tree but it actually still contains smarty-2.6.18. Why did you add ppc then, if this but is no fixed? Sorry, my mistake. I bumped the package, emerged it, started commenting on the bug, checked the install and only then realized that they didn't bump smarty. So I finished commenting on the bug but forgot that I already added ppc. fixed. What is the plan for this? Tikiwiki 1.9.11 is the latest version upstream and so presumably still contains the vulnerable version of smarty? 2.0 is fixed and contains some other vulnerabilities fixed. CVE-2008-3653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3653): Multiple unspecified vulnerabilities in TikiWiki CMS/Groupware before 2.0 have unknown impact and attack vectors. CVE-2008-3654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3654): Unspecified vulnerability in TikiWiki CMS/Groupware before 2.0 allows attackers to obtain "path and PHP configuration" via unknown vectors. Added tikiwiki-2.0 to the tree. Targets: ppc Arches, please test and mark stable: =www-apps/tikiwiki-2.0 Target keywords : "ppc" ppc stable glsa with #212147 Removed vulnerable versions. webapps done. Do we need a glsa on this? I think no and as 2.2 is in the tree and no older versions, could we then close this? No GLSA will be sent. |
