Hi On Tue, 4 Nov 2008 04:24:57 am Jamin W. Collins wrote: > It was brought to my attention that the Snoopy library shipped in the > Media Mate packages for etch and lenny has a potential security > vulnerability[0] > > CVE-2008-4796[1]: > | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 > | and earlier allows remote attackers to execute arbitrary commands via > | shell metacharacters in https URLs. NOTE: some of these details are > | obtained from third party information. > > While the exploit appears to only pertain to HTTPS requests, which > mediamate should not be using, it's better to be safe than sorry. I've > prepared an updated package for unstable that has already been uploaded > to the repository. I've also made an attempt to prepare updated > packages for both etch and lenny. These are the first such packages > I've made, but I believe I've done so correctly. The packages are the > same as the versions currently in etch and lenny with the exception of > the Snoopy update and changelog entry. As my key has moved to emeritus > status I've signed the packages and placed them on my personal website: > > http://www.asgardsrealm.net/tmp/debs/mediamate/ > > Please let me know if there is anything else I should do, or if the > packages need any further changes. FYI: Release team: This issue does not warrant a DSA/DTSA, so with your permission it could go through s-p-u/t-p-u. Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.