Dear Release Team,
I'd like to ask you to unblock libphp-snoopy/1.2.4-1 for Lenny.
While being a new upstream release with a quite big diff, the only
relevant code change is the fix for CVE-2008-4796 in Snoopy.class.php:
@@ -1012,8 +1006,7 @@
$headerfile = tempnam($temp_dir, "sno");
- $safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access
- exec($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\"",$results,$return);
+ exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
if($return)
{
The rest are documentation changes from upstream plus some minor
packaging cleanup from the maintainer (Standards-Version, Vcs-* headers etc).
These should not hurt anyone.
Having 1.2.4-1 in Lenny would allow wordpress to depend on it fixing a
security bug (#504234 - wordpress includes a copy of the vulnerable snoopy version).
Kind regards
Evgeni Golov
Attachment:
pgpkB08LddymP.pgp
Description: PGP signature