phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Full
description in the URL.
web-apps please advise.
0.10.2 is due today. web-apps please verify and bump.
0.10.2_rc1 in CVS
Arches please test and mark stable.
*** Bug 103035 has been marked as a duplicate of this bug. ***
Stable on x86, stabled on ppc by hansmi
Finally you got our sexy alpha mark!
0.10.2_rc1 stable on alpha.
Ready for GLSA vote, I tend to a no.
I vote YES. SQL injection on clearly remote-accessible service.
Ok, correcting my vote, koon is right. I'm now pro-glsa.
phpwebsite is probably also vulnerable to the XMLRPC new round of things,
described in bug 102576.
Setting back to upstream and pulling in Wendall (phpwebsite maintainer) for inputs.
Core team is working on an 0.10.2 release with fixes. We actually don't use the
xml-rpc libs, but they are installed with a set of pear packages we use for the
news feeds module. There will be a patched version available tormorrow with both
fixes. I'll post it as soon as it's up.
Any news on when the next release will happen?
Kevin forgot to provide the MD5 hash. Will have him do this first thing in the
morning. Since the core team were unable to reproduce the sql injection
reported, some extra checks were put into place. This has been marked a low
priority for the security team. The pear update is available in the release
candidate. If all testing goes well, I'd expect a full 0.10.2 release by Friday.
rc2 in CVS
rc2 sparc stable.
Stable on ppc.
rc2 x86 stable
rc2 stable on alpha
ready for GLSA