Giuseppe Iuculano
2009-Apr-19 20:52 UTC
[Secure-testing-team] Bug#524778: Remote code execution via preg_replace in html2text.php
Package: mahara Version: 1.1.2-1 Severity: important Tags: security patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, mahara is using the vulnerable version of html2text, which could lead to code execution attacks, the same of CVE-2008-5619 in roundcube. The patch for this issue can be found at [1] I''m not sure if it is exploitable, and version in stable isn''t affected, so I set the severity only to important. [1]http://trac.roundcube.net/changeset/2148 Cheers, Giuseppe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknrjxMACgkQNxpp46476apvegCdHU0uUdAg/i9p8twr1+IMrMRZ 6cEAnAxHOcQBOWRq+OT97HQjIDB5gYTb =pQn2 -----END PGP SIGNATURE-----