Summary: | <net-mail/mlmmj-1.2.17.1: php admin webinterface input validation vulnerability (CVE-2009-4896) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Streibelt <gentoo> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Florian Streibelt
2009-02-23 02:23:50 UTC
seems this is something we should take a look at Florian, did you report this upstream yet? (In reply to comment #2) > Florian, did you report this upstream yet? On Wed, 06/23/2010 - 20:40 — http://mlmmj.org/node/84 1.2.17 is out, fixing the issue, please provide an updated ebuild. craig: 1.2.17 has been in the tree since February... Where have I been looking? Oo Arches, please test and mark stable: =net-mail/mlmmj-1.2.17 Target keywords : "amd64 ppc x86" ehm... I would say that 1.2.17 doesn't solve the issue!? The flaw was reported in June, fixed in july, but 1.2.17 is released in January! At least the first reported issue looks exactly the same in 1.2.17! This is my personal failbug, sorry. CVE-2009-4896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896): Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action. 1.2.17.1 is in the tree now with the fixes from upstream. Arches, please test and mark stable: =net-mail/mlmmj-1.2.17.1 Target keywords : "amd64 ppc x86" amd64 done x86 stable Marked ppc stable. GLSA Vote: yes. Vote: YES, glsa request filed. This bug is too old. We will not produce glsa here. Setting back to non-resolved for glsa This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |