oss-sec mailing list archives

Re: CVE request: dotclear before 2.2.3

From: JcDenis <jcdenis () gdwd com>
Date: Fri, 15 Apr 2011 19:14:52 +0000 (UTC)

Josh Bressers <bressers@...> writes:



----- Original Message -----

My french isn't that good:
http://fr.dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3

But that sounds like a security issue:
"Pour en revenir à cette version, signalons qu'elle contient la
correction d'une faille de sécurité signalée il y a quelque temps par
Raphaël — que nous remercions au passage —, ainsi qu'une correction
attendue pour la génération manuelle des miniatures."


Please use CVE-2011-1584.

The google translate is pretty vague, if someone has more details please
speak up:

"To come back to this version, note that it contains the
correcting a security flaw reported some time ago by
Raphael - we appreciate the way - and a correction
expected to generate manual thumbnail. "

Thanks.



Hello Josh,

Yes it's a security issue. Little more detail here:
http://www.arcabit.com/english/home/a-flaw-in-dotclear
or here:
http://dev.dotclear.org/2.0/changeset/3427

Current thread:

CVE request: dotclear before 2.2.3 Hanno Böck (Apr 13)
- Re: CVE request: dotclear before 2.2.3 Franck Paul (Apr 14)
- Re: CVE request: dotclear before 2.2.3 Josh Bressers (Apr 15)
  - Re: CVE request: dotclear before 2.2.3 JcDenis (Apr 15)