[Secure-testing-commits] r7878 - data/CVE
thijs at alioth.debian.org
thijs at alioth.debian.org
Fri Jan 11 10:52:42 UTC 2008
Author: thijs
Date: 2008-01-11 10:52:42 +0000 (Fri, 11 Jan 2008)
New Revision: 7878
Modified:
data/CVE/list
Log:
update gforge entry: this vulnerability requires register_globals to be On.
This is supported for sarge and etch (for gforge - in general, rg=1 issues in
etch are UNsupported). This means that for lenny/sid the scripts are merely
broken but not vulnerable. A DSA for etch/sarge is pending.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-01-11 09:14:11 UTC (rev 7877)
+++ data/CVE/list 2008-01-11 10:52:42 UTC (rev 7878)
@@ -1,6 +1,11 @@
CVE-2008-0173 [SQL injection in gforge]
- - gforge <unfixed> (medium)
+ - gforge <unfixed> (unimportant)
+ [etch] - gforge <unfixed> (medium)
+ [sarge] - gforge <unfixed> (medium)
NOTE: this is exploitable by unauthenticated users
+ NOTE: Requires register_globals to be On, unsupported in lenny+sid.
+ NOTE: In lenny+sid these scripts just don't work, so no security issue.
+ NOTE: In etch+sarge we support gforge with rg On, unfortunately.
CVE-2008-0159 (SQL injection vulnerability in index.php in eggBlog 3.1.0 and earlier ...)
NOT-FOR-US: eggBlog
CVE-2008-0158 (Directory traversal vulnerability in index.php in Shop-Script 2.0 and ...)
More information about the Secure-testing-commits
mailing list