thijs at alioth.debian.org
2008-Jan-11 10:52 UTC
[Secure-testing-commits] r7878 - data/CVE
Author: thijs Date: 2008-01-11 10:52:42 +0000 (Fri, 11 Jan 2008) New Revision: 7878 Modified: data/CVE/list Log: update gforge entry: this vulnerability requires register_globals to be On. This is supported for sarge and etch (for gforge - in general, rg=1 issues in etch are UNsupported). This means that for lenny/sid the scripts are merely broken but not vulnerable. A DSA for etch/sarge is pending. Modified: data/CVE/list ==================================================================--- data/CVE/list 2008-01-11 09:14:11 UTC (rev 7877) +++ data/CVE/list 2008-01-11 10:52:42 UTC (rev 7878) @@ -1,6 +1,11 @@ CVE-2008-0173 [SQL injection in gforge] - - gforge <unfixed> (medium) + - gforge <unfixed> (unimportant) + [etch] - gforge <unfixed> (medium) + [sarge] - gforge <unfixed> (medium) NOTE: this is exploitable by unauthenticated users + NOTE: Requires register_globals to be On, unsupported in lenny+sid. + NOTE: In lenny+sid these scripts just don''t work, so no security issue. + NOTE: In etch+sarge we support gforge with rg On, unfortunately. CVE-2008-0159 (SQL injection vulnerability in index.php in eggBlog 3.1.0 and earlier ...) NOT-FOR-US: eggBlog CVE-2008-0158 (Directory traversal vulnerability in index.php in Shop-Script 2.0 and ...)