Re: CVE-2010-3205 affects textpattern package
On Mon, May 20, 2013 at 02:58:40PM +0100, Steven Chamberlain wrote:
> Hi,
>
> CVE-2010-3205 in the Textpattern CMS was marked 'NOT-FOR-US', but
> there is a package of the affected version 4.2.0 in oldstable:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3205
>
> The patch tracker and changelog do not suggest this was addressed,
> other than the (orphaned) package since being removed from the archive.
>
> I suggest we might want to mark it as affected (patch attached).
> MITRE references a very trivial PoC that would allow remote file
> inclusion.
Thanks, I've updated the security tracker!
Cheers,
Moritz
Reply to: