Date: Tue, 24 Jun 2014 12:10:54 +0200 From: Hanno Böck <hanno@...eck.de> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: piwigo before 2.6.3 sql injection On Tue, 24 Jun 2014 01:51:33 -0400 (EDT) cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > The Piwigo image gallery contains an sql injection before versions > > 2.6.3 and 2.7.0_beta2 > > http://piwigo.org/bugs/view.php?id=3089 > > http://piwigo.org/dev/changeset/28678 > > http://piwigo.org/forum/viewtopic.php?id=24009 > > Are you sure about this? Changeset 28678 doesn't seem to have been > implemented in the > http://piwigo.org/download/dlcounter.php?code=26xto263 file that's > recommended in the 2.6.3 Release Notes. Also, > http://piwigo.org/bugs/changelog_page.php suggests that 3089 was fixed > only in 2.7.0beta2, not in 2.6.3. You are probably right and I'm wrong. I also don't have any further info than the ones publicly available on their webpage. > http://piwigo.org/releases/2.6.3 says "[security] security failure > reported and fixed by Christopher Chrapka, ojezu.org." Is this instead > perhaps an unspecified vulnerability that is unrelated to the fix for > bug 3089? May very well be. So the sqj injection only affects the beta and we have another "unclear" vulnerability and need two CVEs? -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ