It was brought to my attention that the Snoopy library shipped in the
Media Mate packages for etch and lenny has a potential security
vulnerability[0]
CVE-2008-4796[1]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs. NOTE: some of these details are
| obtained from third party information.
While the exploit appears to only pertain to HTTPS requests, which
mediamate should not be using, it's better to be safe than sorry. I've
prepared an updated package for unstable that has already been uploaded
to the repository. I've also made an attempt to prepare updated
packages for both etch and lenny. These are the first such packages
I've made, but I believe I've done so correctly. The packages are the
same as the versions currently in etch and lenny with the exception of
the Snoopy update and changelog entry. As my key has moved to emeritus
status I've signed the packages and placed them on my personal website:
http://www.asgardsrealm.net/tmp/debs/mediamate/
Please let me know if there is anything else I should do, or if the
packages need any further changes.
--
Jamin W. Collins
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504172
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
http://security-tracker.debian.net/tracker/CVE-2008-4796
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]