On Tue, Mar 08, 2011 at 02:02:31PM +0100, Hector Romojaro wrote:
> Hi,
>
> About openacs and dotlrn packages, I don't think they are affected by
> any of the Xinha vulnerabilities [1][2][3]. The summary says:
>
> "Xinha ships with several plugins that utilize PHP scripting for special
> usage, like the ImageManager or ExtendedFileManager. A 0-day security
> exploit has been reported available as of today that exploits the
> functionality of these plugins to upload malicious files to your
> webspace, to execute foreign code." [4]
>
> It seems a PHP problem, and the proposed fix is just to remove a bunch
> of php files, so I guess the packages are safe because they don't use
> PHP at all, as well as the aolserver package. There is no way to execute
> that PHP code on openacs or dotlrn.
>
> [1] http://security-tracker.debian.org/tracker/CVE-2011-1133
> [2] http://security-tracker.debian.org/tracker/CVE-2011-1134
> [3] http://security-tracker.debian.org/tracker/CVE-2011-1135
> [4]
> http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
Thanks, I've updated the security tracker.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
