Dear Release Team, I'd like to ask you to unblock libphp-snoopy/1.2.4-1 for Lenny. While being a new upstream release with a quite big diff, the only relevant code change is the fix for CVE-2008-4796 in Snoopy.class.php: @@ -1012,8 +1006,7 @@ $headerfile = tempnam($temp_dir, "sno"); - $safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access - exec($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\"",$results,$return); + exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return); if($return) { The rest are documentation changes from upstream plus some minor packaging cleanup from the maintainer (Standards-Version, Vcs-* headers etc). These should not hurt anyone. Having 1.2.4-1 in Lenny would allow wordpress to depend on it fixing a security bug (#504234 - wordpress includes a copy of the vulnerable snoopy version). Kind regards Evgeni Golov
Attachment:
pgpkB08LddymP.pgp
Description: PGP signature