Bug#504258: marked as done (CVE-2008-4796: missing input sanitising in embedded copy of Snoopy.class.php)

Debian Bug Tracking System Fri, 28 Nov 2008 15:30:38 -0800

Your message dated Sat, 29 Nov 2008 00:22:17 +0100
with message-id <[EMAIL PROTECTED]>
and subject line close bug that does not affect stable
has caused the Debian Bug report #504258,
regarding CVE-2008-4796: missing input sanitising in embedded copy of 
Snoopy.class.php
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
504258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504258
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: gforge-plugin-scmcvs
Severity: grave
Version: 4.5.14-5
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
snoopy, which affects the embedded copy shipped by gforge-plugin-scmcvs [0].

CVE-2008-4796[1]:
> The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
> and earlier allows remote attackers to execute arbitrary commands via
> shell metacharacters in https URLs.  NOTE: some of these details are
> obtained from third party information.

The patch for a later version of Snoopy.class.php can be found at [2] which 
shouldn't be too hard to backport.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[0] usr/lib/gforge/plugins/scmcvs/include/Snoopy.class
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
     http://security-tracker.debian.net/tracker/CVE-2008-4796
[2] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---
Hi

The maintainer is right and this bugreport can be closed. The package is not 
in lenny and gforge code copies seem to be fixed, so no need to keep this 
bugreport open. :)

Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Bug#504258: marked as done (CVE-2008-4796: missing input sanitising in embedded copy of Snoopy.class.php)

Reply via email to