[Secure-testing-team] Re: Bug#335938: mantis: Mantis 't_core_path'
File Inclusion Vulnerability
Thijs Kinkhorst
kink at squirrelmail.org
Sat Oct 29 20:33:56 UTC 2005
Hello All,
On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
> All affect Sarge.
I've prepared updated packages for sarge. My updated package for sid is
still pending with my sponsor Luk Claes. The updated packages for sarge
are available here:
http://www.a-eskwadraat.nl/~kink/mantis_sec/
They are not signed since I'm not a DD yet.
Please let me know if you have comments or questions.
Regarding woody:
> Woody seems unaffected, but 3337 should be double-checked in a real-life
> environment.
> which is not present in Woody, but might have an equivalent in 0.17. I couldn't
> find it with grep, but it should again be tested in a production mantis environment,
> as the bug contains a demo page with the XSS.
I've tried, but I can't even get the woody version to run on woody...
Any login or account-creation step yields errors. Hence, I can't test
them, but agree with Moritz assertions that woody is most probably not
vulnerable.
regards
Thijs Kinkhorst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051029/a5797a8f/attachment.pgp
More information about the Secure-testing-team
mailing list