[diatheke] [CVE-2008-0932] insufficient input sanitising
Bug #195696 reported by
disabled.user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sword (Debian) |
Fix Released
|
Unknown
|
|||
sword (Ubuntu) |
Fix Released
|
Undecided
|
William Grant | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Edgy |
Won't Fix
|
Undecided
|
Unassigned | ||
Feisty |
Won't Fix
|
Undecided
|
Unassigned | ||
Gutsy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
William Grant |
Bug Description
Binary package hint: diatheke
References:
DSA-1508-1 (http://
Quoting:
"Dan Dennison discovered that Diatheke, a CGI program to make a bible
website, performs insufficient sanitising of a parameter, allowing a
remote attacker to execute arbitrary shell commands as the web server
user."
CVE References
Changed in sword: | |
status: | Unknown → Fix Released |
Changed in sword: | |
assignee: | nobody → fujitsu |
status: | New → In Progress |
Changed in sword: | |
assignee: | nobody → fujitsu |
status: | New → In Progress |
assignee: | nobody → fujitsu |
status: | New → In Progress |
assignee: | nobody → fujitsu |
status: | New → In Progress |
assignee: | nobody → fujitsu |
status: | New → In Progress |
Changed in sword: | |
assignee: | fujitsu → nobody |
status: | In Progress → Confirmed |
assignee: | fujitsu → nobody |
status: | In Progress → Confirmed |
assignee: | fujitsu → nobody |
status: | In Progress → Confirmed |
assignee: | fujitsu → nobody |
status: | In Progress → Confirmed |
To post a comment you must log in.
This bug was fixed in the package sword - 1.5.9-8ubuntu1
---------------
sword (1.5.9-8ubuntu1) hardy; urgency=low
* Fakesync from Debian unstable.
* Fixes CVE-2008-0932. (LP: #195696)
sword (1.5.9-8) unstable; urgency=high
* diatheke failed to use shell_escape for the range parameter
properly, Closes: #466449
sword (1.5.9-7.1) unstable; urgency=medium
[ Luk Claes ]
* Non-maintainer upload.
* Don't ship the libsword.la file anymore (Closes: #444562).
* Don't rely on libclucene.la anymore (Closes: #445776).
sword (1.5.9-7) unstable; urgency=low
* libsword-dev should not depend on libclucene-dev
or libc6-dev, libz-dev, libcurl4-gnutls-dev
* patch 09_pcfile.diff don't link apps to all these libs
* update patch 02_libver.diff link lib to clucene
-- William Grant <email address hidden> Sun, 16 Mar 2008 20:59:00 +1100