Hi Philipp,
The original bug report specified three issues. As of the 2.8.0 alpha,
CVE-2008-1231 (local file inclusion) and CVE-2008-1229 (XSS in editor
parameter) have been fixed. They appear also to be fixed in the stable
2.6.3 version, which we would recommend Debian use instead of the
2.5.139 version.
CVE-2008-1230 (remote .jsp attachment upload) has NOT been fixed, but
I have just filed a bug in JIRA about it. We will fix this for the
2.8.0 beta. We may also back-port the fix to 2.6 also; Janne and I
will need to confer about whether this makes sense.
Thanks for reporting this!
Andrew
On Jul 16, 2008, at 12:52 PM, Philipp Matthias Hahn wrote:
Hello!
The Linux distributions Debian and [K]ubuntu both ship a very old
2.5.139 version. Debian has listed a grave bug against the package,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470477
because 3 security bugs have been found in JSPWiki:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1230
All 3 reference the same original report, which contains the
description:
http://marc.info/?l=bugtraq&m=120300554011544&w=2
I'd like to ask you, if you're aware of these bugs and if they were
properly addressed in 2.6.3, since the Changelog doesn't contain any
references to these CVEs?
BYtE
Philipp
PS: please cc:[EMAIL PROTECTED] on replies.
--
Philipp Matthias Hahn <[EMAIL PROTECTED]>
GPG/PGP: 9A540E39 @ keyrings.debian.org
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
