Re: CVE-2010-3205 affects textpattern package

To: Steven Chamberlain <steven@pyro.eu.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: CVE-2010-3205 affects textpattern package
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 21 May 2013 23:09:19 +0200
Message-id: <[🔎] 20130521210919.GA4083@inutil.org>
In-reply-to: <[🔎] 20130520135840.GA30882@squeeze.pyro.eu.org>
References: <[🔎] 20130520135840.GA30882@squeeze.pyro.eu.org>

On Mon, May 20, 2013 at 02:58:40PM +0100, Steven Chamberlain wrote:
> Hi,
> 
> CVE-2010-3205 in the Textpattern CMS was marked 'NOT-FOR-US', but
> there is a package of the affected version 4.2.0 in oldstable:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3205
> 
> The patch tracker and changelog do not suggest this was addressed,
> other than the (orphaned) package since being removed from the archive.
> 
> I suggest we might want to mark it as affected (patch attached).
> MITRE references a very trivial PoC that would allow remote file
> inclusion.

Thanks, I've updated the security tracker!

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: CVE-2010-3205 affects textpattern package
  - From: Steven Chamberlain <steven@pyro.eu.org>

References:
- CVE-2010-3205 affects textpattern package
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Re: CVE-2010-3205 affects textpattern package
Next by Date: External check
Previous by thread: Re: CVE-2010-3205 affects textpattern package
Next by thread: Re: CVE-2010-3205 affects textpattern package
Index(es):
- Date
- Thread