Moritz Muehlenhoff wrote: > > php5 / CVE-2008-4107 > php-suhosin provides proper randomisation, but this needs more visible > documentation. Maybe the release notes or the existing > README.Debian.security?
Well, since the mt_/rand functions are nowhere documented as strong for cryptographic pourposes I don't consider it a bug, but a missing enhancement. Not to mention that most of its side effects were made worst because of the poor seeding of the PRNG via mt_/srand. > smarty CVE-2008-4810 / CVE-2008-4811 > I'm not sure about the exact status. > -4810 is about the original bug, -4811 is about the incomplete fix for all the attack vectors. Haven't heard from upstream about -4811 > > wordpress (504771) > No patch yet. The maintainer prepared a new version, which is waiting for somebody to sponsor it, adding yet another cookies-checking routine which denies the user to browse anything until some dangerous cookies are deleted. PS. I just found a XSS vuln in phpCAS which is embedded in a couple of packages and is now an ITP. Does anyone know about a phpCAS installation where I could test my findings as to provide more precise information? Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
