Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jun 2014 12:10:54 +0200
From: Hanno Böck <>
Subject: Re: CVE request: piwigo before 2.6.3 sql injection

On Tue, 24 Jun 2014 01:51:33 -0400 (EDT) wrote:

> Hash: SHA1
> > The Piwigo image gallery contains an sql injection before versions
> > 2.6.3 and 2.7.0_beta2
> >
> >
> >
> Are you sure about this? Changeset 28678 doesn't seem to have been
> implemented in the
> file that's
> recommended in the 2.6.3 Release Notes. Also,
> suggests that 3089 was fixed
> only in 2.7.0beta2, not in 2.6.3.

You are probably right and I'm wrong.

I also don't have any further info than the ones publicly available on
their webpage.

> says "[security] security failure
> reported and fixed by Christopher Chrapka," Is this instead
> perhaps an unspecified vulnerability that is unrelated to the fix for
> bug 3089?

May very well be. So the sqj injection only affects the beta and we
have another "unclear" vulnerability and need two CVEs?

Hanno Böck


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ