oss-sec mailing list archives
CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo
From: Raphael Geissert <geissert () debian org>
Date: Mon, 06 Dec 2010 19:44:06 -0600
Hi, Could CVE ids be assigned for the following issues? thanks in advance. IO::Socket::SSL: unexpected fallback to VERIFY_NONE if certificate file(s) are not specified. http://bugs.debian.org/606058 http://secunia.com/advisories/42508/ cakephp: code execution via unserialize() call with untrusted data http://malloc.im/CakePHP-unserialize.txt https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb http://secunia.com/advisories/42211/ collectd: DoS via the RRDtool and RRDCacheD plugins http://bugs.debian.org/605092 http://secunia.com/advisories/42393/ gnash: insecure handling of temp files at build-time http://bugs.debian.org/605419 http://secunia.com/advisories/42416/ ocrodjvu: insecure handling of temp files http://bugs.debian.org/598134 hypermail: XSS http://bugs.debian.org/598743 libcloud: "doesn't verify ssl certificate" It appears that what it doesn't verify is the certificate's CN. From the references provided in the Debian bug report it looks like it is a widespread issue on the SSL implementations in Python. Not sure how MITRE would like to handle those. http://bugs.debian.org/598463 https://github.com/tjfontaine/linode-python/issues/issue/1#issue/1 piwigo: a1) CSRF a2) SQL injection a3) stored XSS http://secunia.com/advisories/41365/ http://piwigo.org/releases/2.1.3 http://www.exploit-db.com/exploits/14973/ (the issues mentioned by the exploit-db entry appear to be the same that were fixed in 2.1.3) b) search.php SQL injection http://secunia.com/advisories/38305/ http://piwigo.org/releases/2.0.8 c) CSRF in the admin panel: http://secunia.com/advisories/37681/ http://www.exploit-db.com/exploits/10417 (the exploit-db entry details two other issues, but are "admin-only" -- feel free to assign or ignore those.) Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Raphael Geissert (Dec 06)
- Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Josh Bressers (Dec 07)
- Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Ludwig Nussel (Dec 09)
- Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Steven M. Christey (Dec 09)
- Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Ludwig Nussel (Dec 09)
- Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Josh Bressers (Dec 07)