Your message dated Sun, 02 Nov 2008 11:17:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504172: fixed in mediamate 0.9.3.6-5
has caused the Debian Bug report #504172,
regarding CVE-2008-4796: missing input sanitising in Snoopy.class.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504172: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504172
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mediamate
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mediamate.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
>From what I can see there might be one or two patches in your Snoopy.class.php
file, which you might want to forward to the libphp-snoopy maintainer.
(For example I was looking at the proxy stuff).
Also, since the package is in stable (etch), I'd like to know in which way
the php library is invoked and how vulnerable to attacks the stable
version is. If it is severe enough, we should prepare a DSA, otherwise
an update could go through s-p-u.
Thanks for your work on mediamate.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
--- End Message ---
--- Begin Message ---
Source: mediamate
Source-Version: 0.9.3.6-5
We believe that the bug you reported is fixed in the latest version of
mediamate, which is due to be installed in the Debian FTP archive:
mediamate_0.9.3.6-5.diff.gz
to pool/main/m/mediamate/mediamate_0.9.3.6-5.diff.gz
mediamate_0.9.3.6-5.dsc
to pool/main/m/mediamate/mediamate_0.9.3.6-5.dsc
mediamate_0.9.3.6-5_all.deb
to pool/main/m/mediamate/mediamate_0.9.3.6-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jamin W. Collins <[EMAIL PROTECTED]> (supplier of updated mediamate package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 01 Nov 2008 19:04:31 -0400
Source: mediamate
Binary: mediamate
Architecture: source all
Version: 0.9.3.6-5
Distribution: unstable
Urgency: low
Maintainer: Jamin W. Collins <[EMAIL PROTECTED]>
Changed-By: Jamin W. Collins <[EMAIL PROTECTED]>
Description:
mediamate - web-based movie database and tracker
Closes: 504172
Changes:
mediamate (0.9.3.6-5) unstable; urgency=low
.
* Use external version of class.jabber.php
* Use external version of Snoopy, CVE-2008-4796 (Closes: #504172)
* corrected boolean default (true v. True)
* updated homepage reference in description
* updated build-depends
* updated docs file to remove wildcard
* added patch to update IMDB parsing
* updated standards vesion
* moved source changes to patches where they belong
* changed default web server to Apache2
Checksums-Sha1:
f14b5ebb3895303aad53ed6794bb0c58a50e696d 993 mediamate_0.9.3.6-5.dsc
0ca5cd53475dd4f931838c169dc9c6cf9d7cfa1c 29366 mediamate_0.9.3.6-5.diff.gz
454ee6cbdbceeec30fce1ff2c5fa05f6dca66abc 219544 mediamate_0.9.3.6-5_all.deb
Checksums-Sha256:
de0c401ed3e2bbd5a8b0031ff2c89b993e5b535a8d5bec2929d4a9a02596bc8e 993
mediamate_0.9.3.6-5.dsc
dd7af8845ea81551bc4537feeb2490ec0e10ab8e3b24e55027bd9387fdef2c3e 29366
mediamate_0.9.3.6-5.diff.gz
89e3e10aded7e3fd3f22522ef366cefef2ce25ed97cd8d831b0bbb803764043f 219544
mediamate_0.9.3.6-5_all.deb
Files:
5f30d58bbd063e719d09d1e25a3df023 993 web optional mediamate_0.9.3.6-5.dsc
ec85d6dd6ca9dabb5bdbfcea09b08882 29366 web optional mediamate_0.9.3.6-5.diff.gz
934786d310512321f6ab39e205970977 219544 web optional
mediamate_0.9.3.6-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkNhmQACgkQ62zWxYk/rQeddACgy6MQ8xSbw3e6wkaZbdLAEzlj
zSAAn2+2syOj1hcxmJrzqytGiEgQ9YrW
=RY4v
-----END PGP SIGNATURE-----
--- End Message ---
