phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Full description in the URL.
web-apps please advise.
0.10.2 is due today. web-apps please verify and bump.
0.10.2_rc1 in CVS
Arches please test and mark stable.
sparc stable.
*** Bug 103035 has been marked as a duplicate of this bug. ***
Stable on x86, stabled on ppc by hansmi
Finally you got our sexy alpha mark! 0.10.2_rc1 stable on alpha.
Ready for GLSA vote, I tend to a no.
I vote YES. SQL injection on clearly remote-accessible service.
Ok, correcting my vote, koon is right. I'm now pro-glsa.
phpwebsite is probably also vulnerable to the XMLRPC new round of things, described in bug 102576. Setting back to upstream and pulling in Wendall (phpwebsite maintainer) for inputs.
Core team is working on an 0.10.2 release with fixes. We actually don't use the xml-rpc libs, but they are installed with a set of pear packages we use for the news feeds module. There will be a patched version available tormorrow with both fixes. I'll post it as soon as it's up. Wendall
Hi Wendall, Any news on when the next release will happen? Best regards, Stu
http://phpwebsite.appstate.edu/downloads/rc/phpwebsite-0.10.2-RC2.tar.gz Kevin forgot to provide the MD5 hash. Will have him do this first thing in the morning. Since the core team were unable to reproduce the sql injection reported, some extra checks were put into place. This has been marked a low priority for the security team. The pear update is available in the release candidate. If all testing goes well, I'd expect a full 0.10.2 release by Friday. Wendall
rc2 in CVS
rc2 sparc stable.
Stable on ppc.
rc2 x86 stable
rc2 stable on alpha
ready for GLSA
GLSA 200508-21
