oss-sec mailing list archives
CVE request - Snoopy incomplete fix for CVE-2008-4796
From: Garth Mollett <gmollett () redhat com>
Date: Wed, 09 Jul 2014 18:36:52 +1000
Please see: http://seclists.org/fulldisclosure/2014/Jul/16 Note, the new fix [1] referenced in the above FD posts does not look to be a complete fix either and may still allow command injection. Snoopy upstream has been notified and a more complete fix that removes curl and instead uses native php code should be available shortly [2]. Thanks. [1]. https://raw.githubusercontent.com/cogdog/feed2js/master/magpie/extlib/Snoopy.class.inc [2]. http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log -- Garth Mollett / Red Hat Product Security
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 09)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 16)
- Re: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Tomas Hoger (Jul 16)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 18)
- <Possible follow-ups>
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Kurt Seifried (Jul 15)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)