Moritz Muehlenhoff wrote: > http://moritz-naumann.com/adv/0003/tikiw/0003.txt > Is this fixed in your package, the advisory says that 1.9.2 is affected > as well? The developers claim that 1.9.2 is not vulnerable, contrary to what was stated in the advisory. See http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-11/0333.html . My tests confirm this. > Given that there've been four vulnerabilities in TikiWiki for 2005 alone, > does upstream have a reasonable security policy, There is a mechanism in place for reporting security problems: http://tikiwiki.org/TikiSecurity Recent issues seem to have been fixed and patched in a timely manner. Announcements are posted to mailing lists and on the web site. Changes and workarounds were described in detail, see for example: http://tikiwiki.org/tiki-read_article.php?articleId=118 Of the recent security problems, one was in the XML-RPC library which is part of PEAR. Since my package doesn't contain Tikiwiki's versions of external libraries, it would have been fixed by the php-pear package. For the code injection vulnerabilities, I have applied stricter access controls in the Apache configuration, and plan to make further restrictions to prevent these attacks. Marcus
Attachment:
signature.asc
Description: OpenPGP digital signature