Bug 303745 (CVE-2009-4422)

Comment 1 Alex Legler (RETIRED) 2010-05-09 11:00:22 UTC

Rerating.

php: ping. Patch is available at http://seclists.org/bugtraq/2009/Dec/285

Comment 2 Ole Markus With (RETIRED) 2010-05-09 13:40:03 UTC

Find ebuilds for 3.0.7 and 2.3 in the php overlay

Comment 3 Matti Bickel (RETIRED) 2010-12-19 15:13:45 UTC

jpgraph-3.0.7 has been in the tree since April. Leaving stable decision to security.

Comment 4 Alex Legler (RETIRED) 2010-12-19 15:44:50 UTC

The issue is not fixed in version 3.0.7.

A patch is available at http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0428.html, I would prefer using htmlspecialchars() instead of urlencode() though.

Comment 5 Matti Bickel (RETIRED) 2012-06-11 15:15:28 UTC

Wow, this is ancient. And upstream hasn't released a new stable version.. So I've taken the liberty to provide my own patch, using htmlentities() instead of urlencode as suggested.

Clear to go stable with jpgraph-3.0.7-r1?

Comment 6 Tim Sammut (RETIRED) 2012-06-16 23:13:03 UTC

(In reply to comment #5)
> 
> Clear to go stable with jpgraph-3.0.7-r1?

We're good if you are. ;)

Arches, please test and mark stable:
=dev-php/jpgraph-3.0.7-r1
Target keywords : "alpha amd64 hppa ppc sparc x86"

Comment 7 Agostino Sarubbo 2012-06-17 15:00:48 UTC

amd64 stable

Comment 8 Jeff (JD) Horelick (RETIRED) 2012-06-17 17:47:12 UTC

x86 stable

Comment 9 Jeroen Roovers (RETIRED) 2012-06-18 23:22:23 UTC

Stable for HPPA.

Comment 10 Raúl Porcel (RETIRED) 2012-07-15 16:58:37 UTC

alpha/sparc stable

Comment 11 Michael Weber (RETIRED) 2012-08-21 07:40:14 UTC

ppc stable, last arch, not closing due security marking.

Comment 12 Tim Sammut (RETIRED) 2012-08-21 14:39:07 UTC

Thanks everyone.

Closing noglsa for XSS.