* Roland Mas [Wed, 17 Dec 2008 16:36:18 +0100]:
> Hi release team,
> I would like to request a freeze exception for the gforge package.
> Version currently in lenny is 4.7~rc2-6, and 4.7~rc2-7 has been
> uploaded to unstable to close an SQL injection problem
> (CVE-2008-2381). The only change (apart from change logs) is the
> following:
> === modified file 'gforge/common/include/GroupJoinRequest.class.php'
> --- gforge/common/include/GroupJoinRequest.class.php 2008-05-27 20:56:57
> +0000
> +++ gforge/common/include/GroupJoinRequest.class.php 2008-11-25 10:45:49
> +0000
> @@ -148,7 +148,7 @@
> $sql="INSERT INTO group_join_request
> (group_id,user_id,comments,request_date)
> VALUES ('".$this->Group->getID()."','".$user_id."',
> - '".htmlspecialchars($comments)."','".time()."')";
> +
> '".addslashes(htmlspecialchars($comments))."','".time()."')";
> $result=db_query($sql);
> if (!$result || db_affected_rows($result) < 1) {
> $this->setError('GroupJoinRequest::create() Posting
> Failed '.db_error());
Unblocked.
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Los Piratas - "M"
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
