Date: Sat, 1 Nov 2008 23:01:15 +1100 From: Steffen Joeris <steffen.joeris@...lelinux.de> To: oss-security <oss-security@...ts.openwall.com> Cc: coley@...re.org Subject: CVE-2008-4796: snoopy triage Hi I thought I'd share the outcome of my snoopy triage for debian. I had a look at upstream's patch and compared it with packages in debian. We had 6 packages including the file Snoopy.class.php, all were vulnerable. List of packages: ampache: /usr/share/ampache/www/modules/infotools/Snoopy.class.php libphp-snoopy: /usr/share/php/libphp-snoopy/Snoopy.class.php mahara: /usr/share/mahara/lib/snoopy/Snoopy.class.php mediamate: /usr/share/mediamate/Snoopy.class.php opendb: /usr/share/opendb/functions/Snoopy.class.php pixelpost: /usr/share/pixelpost/addons/_defensio/libraries/Snoopy.class.php I haven't checked, how they depend on the Snoopy.class.php file yet. Of course there might be more out there and included in other distributions, so don't assume that this is all. The packages in debian duplicating the source should just depend on the libphp-snoopy package, which in debian is the snoopy upstream package. Steve, do you want to update the CVE description to reflect that the file is included in several other packages? Cheers Steffen : http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.