Insufficient param handling in tiki-graph_formula.php.
220.127.116.11 is in the tree.
target: ppc stable
thanks tobias. removed insecure version. webapps is done here.
glsa request filed.
Tobias, seems you forgot to actually add the ppc keywords:
12 Oct 2007; Tobias Scherbaum <firstname.lastname@example.org> ChangeLog:
ppc stable, bug #195503
(In reply to comment #5)
> Tobias, seems you forgot to actually add the ppc keywords:
> 12 Oct 2007; Tobias Scherbaum <email@example.com> ChangeLog:
> ppc stable, bug #195503
oopsie ;) now for real: ppc stable
*** Bug 196329 has been marked as a duplicate of this bug. ***
Perhaps the GLSA request should be filed again. My server was rooted due to this vuln. Not happy.
GLSA 200710-21 is out.
Hint: never use risky web-apps unless in an isolated environment like chroot or virtual machines.
Stefen Esser warned tikiwiki upstream that they haven't totally fixed CVE-2007-5423 impact.
Patch is here:
Announcement is here:
web-app could you have a look, please?
And it seems that more security issues were fixed in 18.104.22.168, i have no other info.
+2007-10-23 01:18 mose
+ * tiki-imexport_languages.php: [FIX] security: added tests to the
+ language filename var to avoid arbitrary inclusion
-> file inclusion
+2007-10-23 01:08 mose
+ * db/tiki-db.php: [FIX] security: added some checks on local.php
+ file to avoid arbitrary inclusion
-> file inclusion
+2007-10-23 00:58 mose
+ * lib/tikilib.php: [FIX] wiki images: added a test to avoid js
+ comes into img src
+2007-10-23 00:46 mose
+ * templates/tiki-remind_password.tpl: [FIX] security: escape error
+ message in remind_password to avoid possible abuse
-> disclosure of information
+ Stefan Esser's fix (code injection), without ChangeLog entry.
22.214.171.124 is in the tree.
one again: ppc stable
The release should be upgraded to 126.96.36.199 as it correct a bug introduced in 188.8.131.52
(In reply to comment #16)
> The release should be upgraded to 184.108.40.206 as it correct a bug introduced in
Gunnar, your call.
(In reply to comment #17)
> (In reply to comment #16)
> > The release should be upgraded to 220.127.116.11 as it correct a bug introduced in
> > 18.104.22.168
> Gunnar, your call.
*sigh* ... what about just dropping the ppc stable keyword?
22.214.171.124 in the tree.
Traget: ppc - you may of course also decide to drop the keyword ;) ... I don't consider tikiwiki a particularly well crafted piece of software
whatever, once again: ppc stable - next time i'll drop the stable-keyword.
Thanks, removed insecure versions. webapps done