Hi release team,
I would like to request a freeze exception for the gforge package.
Version currently in lenny is 4.7~rc2-6, and 4.7~rc2-7 has been
uploaded to unstable to close an SQL injection problem
(CVE-2008-2381). The only change (apart from change logs) is the
following:
=== modified file 'gforge/common/include/GroupJoinRequest.class.php'
--- gforge/common/include/GroupJoinRequest.class.php 2008-05-27 20:56:57
+0000
+++ gforge/common/include/GroupJoinRequest.class.php 2008-11-25 10:45:49
+0000
@@ -148,7 +148,7 @@
$sql="INSERT INTO group_join_request
(group_id,user_id,comments,request_date)
VALUES ('".$this->Group->getID()."','".$user_id."',
- '".htmlspecialchars($comments)."','".time()."')";
+
'".addslashes(htmlspecialchars($comments))."','".time()."')";
$result=db_query($sql);
if (!$result || db_affected_rows($result) < 1) {
$this->setError('GroupJoinRequest::create() Posting
Failed '.db_error());
Thanks,
Roland.
--
Roland Mas
Sauvez un arbre, tuez un castor.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
