Re: please unblock libphp-snoopy/1.2.4-1
* Evgeni Golov [Sun, 02 Nov 2008 14:17:58 +0100]:
> Dear Release Team,
> I'd like to ask you to unblock libphp-snoopy/1.2.4-1 for Lenny.
> While being a new upstream release with a quite big diff, the only
> relevant code change is the fix for CVE-2008-4796 in Snoopy.class.php:
> @@ -1012,8 +1006,7 @@
> $headerfile = tempnam($temp_dir, "sno");
> - $safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access
> - exec($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\"",$results,$return);
> + exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
> if($return)
> {
> The rest are documentation changes from upstream plus some minor
> packaging cleanup from the maintainer (Standards-Version, Vcs-* headers etc).
> These should not hurt anyone.
> Having 1.2.4-1 in Lenny would allow wordpress to depend on it fixing a
> security bug (#504234 - wordpress includes a copy of the vulnerable snoopy version).
Already unblocked by Luk. (In general, packages fixing RC bugs don't
need explicit request, since we tend to find them anyway. :-)
Thanks,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Man is certainly stark mad; he cannot make a flea, yet he makes gods by the
dozens.
-- Michel de Montaigne
Reply to: