[Secure-testing-commits] r8443 - data/CVE
thijs at alioth.debian.org
thijs at alioth.debian.org
Sat Mar 29 15:49:46 UTC 2008
Author: thijs
Date: 2008-03-29 15:49:44 +0000 (Sat, 29 Mar 2008)
New Revision: 8443
Modified:
data/CVE/list
Log:
rewrite to be hopefully more clear
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-03-29 15:44:18 UTC (rev 8442)
+++ data/CVE/list 2008-03-29 15:49:44 UTC (rev 8443)
@@ -1,10 +1,10 @@
CVE-2008-XXXX [phpMyAdmin sensitive data in session PMASA-2008-2]
- phpmyadmin 2.11.5.1 (unimportant)
NOTE: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2
- NOTE: I can see no way to actively exploit this unless the host is very
- NOTE: insecure anyway (not a Debian supported configuration), plus on a
- NOTE: shared host of that setup you can read the same data from the config
- NOTE: if you'd like. Flagging as non-issue.
+ NOTE: It is a workaround for the limited security that PHP has for
+ NOTE: session files on a shared host. This limitation is documented with
+ NOTE: PHP, warned against and not a specific vulnerability in phpMyAdmin.
+ NOTE: I hence consider it a security enhancement/feature, not a vulnerability.
CVE-2008-1530 [gnupg key import memory corruption]
- gnupg <not-affected> (Only 1.4.8 is affected)
TODO: Verify that the next maintainer upload uses 1.4.9 directly
More information about the Secure-testing-commits
mailing list