[Secure-testing-commits] r27817 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Fri Jul 18 18:53:01 UTC 2014


Author: carnil
Date: 2014-07-18 18:53:01 +0000 (Fri, 18 Jul 2014)
New Revision: 27817

Modified:
   data/CVE/list
Log:
Add CVE-2014-5008/libphp-snoopy issue

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-07-18 18:50:10 UTC (rev 27816)
+++ data/CVE/list	2014-07-18 18:53:01 UTC (rev 27817)
@@ -1,5 +1,9 @@
 CVE-2014-XXXX [basic http authentication bypass]
 	- bozohttpd <unfixed> (bug #755197)
+CVE-2014-5008 [Incorrect fix for CVE-2008-4796, escapeshellarg required]
+	- libphp-snoopy <unfixed>
+	NOTE: http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/
+	NOTE: This issue exists because of an incorrect fix for CVE-2008-4796 (i.e., use of escapeshellcmd where escapeshellarg was required).
 CVE-2014-5004 [Ruby Gem brbackup-0.1.1: exposes the database password to the command line]
 	NOT-FOR-US: Ruby Gem brbackup
 CVE-2014-5003 [Ruby Gem ciborg-3.0.0: race condition when creating /tmp/perlbrew-installer]




More information about the Secure-testing-commits mailing list