oss-sec mailing list archives
Re: CVE request - Snoopy incomplete fix for CVE-2008-4796
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 15 Jul 2014 21:02:21 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please see: http://seclists.org/fulldisclosure/2014/Jul/16
Note, the new fix [1] referenced in the above FD posts does not look to be a complete fix either and may still allow command injection. Snoopy upstream has been notified and a more complete fix that removes curl and instead uses native php code should be available shortly [2]. Thanks. [1]. https://raw.githubusercontent.com/cogdog/feed2js/master/magpie /extlib/Snoopy.class.inc [2]. http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy /Snoopy.class.php?view=log -- Garth Mollett / Red Hat Product Security
Ping, has there been any movement on this? - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTxes9AAoJEBYNRVNeJnmTNm0P/2R+z+MZui9DGToLzrfkLXA3 +XrhLojAXmDU0M7qtSNPL7JfGSxBy7EILULQ5qRTSBYh1TzCxNUyL7fcteuqBzxS wE7WolOJ++VcLjx+Dfkh/yV7cTfcSI3od+j2iY5ROl5nQzpgpOjYGEQ2sPSazzaW sojbv3nNE3JXIoj41lhdqnvIO1/60TqwQakLIHOQiz+vcoCg8fmvaWgWVaveb1Zn tgRBHniURLhuOASGPI60pNZtks247MmNXF4kVXnH2bPnsSG8fZgXvDF8vZMGWQun JveKQ3PqIxqVb5CerKFswPHxXNqo+I4/dKqa+FIed865UF3oKFKXzj//0ELxZROy OXJxV8HACT4JdraZ8R7d+qwhMx1T/xSlGI4vsUNiV72L89zNwla1clyLVqJG/hxF 76ArDY21/BcWW5tw8NFmpPcfJQR5wvuZtXp868zJXGerpprcY4q7ArWJHS51gsSR Bsk14jIN+A1nA89N3wkhToi3063JmP/cB61UI2Tb+wFizeQCEJ4B1KHVWXaCvGDO Q0/9UR4XC24U+gCklIscW4KlX0KS7Geoad4A77K+DFZVCxc9KxgmDKrtVVHE7Nv6 ZKllto/QTiIZEAjd8NQDJhg89Yf0vcvVuTR+21w3oBrRqUP5arYzCk/xG03criw5 +TZ+i01Hh+HVL64FuWH+ =PKS/ -----END PGP SIGNATURE-----
Current thread:
- CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 09)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 16)
- Re: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Tomas Hoger (Jul 16)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 18)
- <Possible follow-ups>
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Kurt Seifried (Jul 15)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)