[Bug 138614] Please sync phpwiki (universe) from Debian unstable (main)
Michael Bienia
michael at vorlon.ping.de
Mon Sep 10 13:06:13 BST 2007
Public bug reported:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
affects ubuntu/phpwiki
status confirmed
subscribe ubuntu-archive
Please sync phpwiki (universe) from Debian unstable (main).
Changelog since current gutsy version 1.3.12p3-6:
phpwiki (1.3.12p3-6.1) unstable; urgency=high
* NMU by the testing security team, with maintainer approval.
* CVE-2007-3193: lib/WikiUser/LDAP.php in PhpWiki before 1.3.13p1, when the
configuration lacks a nonzero PASSWORD_LENGTH_MINIMUM, might allow remote
attackers to bypass authentication via an empty password, which causes
ldap_bind to return true when used with certain LDAP implementations.
(Closes: #429201)
* CVE-2007-2024, CVE-2007-2025: Unrestricted file upload vulnerability in
the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows
remote attackers to upload arbitrary PHP files with a double extension, as
demonstrated by .php.3, which is interpreted by Apache as being a valid
PHP file.
(Closes: #441390)
-- Thijs Kinkhorst <thijs at debian.org> Sun, 09 Sep 2007 14:10:57 +0200
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (GNU/Linux)
iQCVAwUBRuUy/KPP1313boLqAQOjSAP+ISzx/XG5aYQJUI8nizLhqL3lr7uXcMI7
d4Dzb5AX/GzzqHTUHl6l3o/C9HvCllzoKrSsARtJduV4eEimEYGaum+82f97KTTG
04G14416mzhvekJqOVCfOPoo+ZutdbztYgd983LtTRztgmpPt9pdlrMvGiUZxFTY
1NxX/N92SKY=
=O6HH
-----END PGP SIGNATURE-----
** Affects: phpwiki (Ubuntu)
Importance: Undecided
Status: Confirmed
--
Please sync phpwiki (universe) from Debian unstable (main)
https://bugs.launchpad.net/bugs/138614
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is a direct subscriber.
More information about the ubuntu-archive
mailing list