[pLog-svn] Security update for Debian Testing - 2008-11-24 (fwd)
Jon Daley
plogworld at jon.limedaley.com
Wed Jan 14 10:15:02 EST 2009
Yes, this is a critical error, as we use $_REQUEST all over the
place, so various things can be injected via cookies into the get and post
streams. Anyone have some time to see how other folks went about solving
this? Maybe the easiest thing is to remove cookie information from the
REQUEST parameter? Some of the places we use $_REQUEST can simply be
changed to $_GET (like for the page parameter - that isn't ever used via
POST or COOKIE, right?)
We do a bunch of overwriting the superglobals in the root
directory, and that code looks kind of hard to modify.
See the below links for more information:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771
http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/
On Mon, 24 Nov 2008, Jon Daley wrote:
> Since every (I think?) blog software that is in debian just released
> a security advisory... I haven't looked into it very carefully yet - do we
> need to do something to fix LT as well? And perhaps we can borrow some code
> from these patches?
>
> ---------- Forwarded message ----------
> Date: Mon, 24 Nov 2008 02:04:52 +0100
> From: secure-testing-team at lists.alioth.debian.org
> To: debian-testing-security-announce at lists.debian.org
> Subject: Security update for Debian Testing - 2008-11-24
> Resent-Date: Mon, 24 Nov 2008 01:05:05 +0000 (UTC)
> Resent-From: debian-testing-security-announce at lists.debian.org
>
> This automatic mail gives an overview over security issues that were recently
> fixed in Debian Testing. The majority of fixed packages migrate to testing
> from unstable. If this would take too long, fixed packages are uploaded to
> the
> testing-security repository instead. It can also happen that vulnerable
> packages are removed from Debian testing.
>
> Migrated from unstable:
> =======================
> enscript 1.6.4-13:
> CVE-2008-4306: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306
> http://bugs.debian.org/506261
>
> libxml2 2.6.32.dfsg-5:
> CVE-2008-4225: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
> CVE-2008-4226: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226
>
> movabletype-opensource 4.2.1-3:
> CVE-2008-4634: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634
> http://bugs.debian.org/503114
>
> no-ip 2.1.7-11:
> <no CVE yet> : no-ip DUC remote code execution
> http://bugs.debian.org/506179
>
> typo3-src 4.2.3-1:
> <no CVE yet> : typo3: XSS vulnerability in Typo3 backendmodul "fileadmin"
> http://bugs.debian.org/505324
> <no CVE yet> : typo3: XSS vulnerability in Typo3 sysext "felogin"
> http://bugs.debian.org/505325
> <no CVE yet> : typo3: passwords are not changeable bug in the backend
> http://bugs.debian.org/505326
>
> wordpress 2.5.1-10:
> CVE-2008-5113: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113
> http://bugs.debian.org/504771
>
>
>
> How to update:
> --------------
> Make sure the line
>
> deb http://security.debian.org lenny/updates main contrib non-free
>
> is present in your /etc/apt/sources.list. Of course, you also need the line
> pointing to your normal lenny mirror. You can use
>
> aptitude update && aptitude dist-upgrade
>
> to install the updates.
>
>
> More information:
> -----------------
> More information about which security issues affect Debian can be found in
> the
> security tracker:
>
> http://security-tracker.debian.net/tracker/
>
> A list of all known unfixed security issues is at
>
> http://security-tracker.debian.net/tracker/status/release/testing
>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
Quoting: the act of repeating erroneously the words of another.
-- Ambrose Bierce
More information about the pLog-svn
mailing list