Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200711-19 ] TikiWiki: Multiple vulnerabilities
Date: Wed, 14 Nov 2007 22:19:31
Message-Id: 473B6FF4.1020400@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200711-19
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: High
11 Title: TikiWiki: Multiple vulnerabilities
12 Date: November 14, 2007
13 Bugs: #195503
14 ID: 200711-19
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Multiple vulnerabilities have been discovered in TikiWiki, possibly
22 resulting in the remote execution of arbitrary code.
23
24 Background
25 ==========
26
27 TikiWiki is an open source content management system written in PHP.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 www-apps/tikiwiki < 1.9.8.3 >= 1.9.8.3
36
37 Description
38 ===========
39
40 Stefan Esser reported that a previous vulnerability (CVE-2007-5423,
41 GLSA 200710-21) was not properly fixed in TikiWiki 1.9.8.1
42 (CVE-2007-5682). The TikiWiki development team also added several
43 checks to avoid file inclusion.
44
45 Impact
46 ======
47
48 A remote attacker could exploit these vulnerabilities to inject
49 arbitrary code with the privileges of the user running the application.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All TikiWiki users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.8.3"
63
64 References
65 ==========
66
67 [ 1 ] GLSA 200710-21
68 http://www.gentoo.org/security/en/glsa/glsa-200710-21.xml
69 [ 2 ] CVE-2007-5423
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5423
71 [ 3 ] CVE-2007-5682
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5682
73
74 Availability
75 ============
76
77 This GLSA and any updates to it are available for viewing at
78 the Gentoo Security Website:
79
80 http://security.gentoo.org/glsa/glsa-200711-19.xml
81
82 Concerns?
83 =========
84
85 Security is a primary focus of Gentoo Linux and ensuring the
86 confidentiality and security of our users machines is of utmost
87 importance to us. Any security concerns should be addressed to
88 security@g.o or alternatively, you may file a bug at
89 http://bugs.gentoo.org.
90
91 License
92 =======
93
94 Copyright 2007 Gentoo Foundation, Inc; referenced text
95 belongs to its owner(s).
96
97 The contents of this document are licensed under the
98 Creative Commons - Attribution / Share Alike license.
99
100 http://creativecommons.org/licenses/by-sa/2.5
101 -----BEGIN PGP SIGNATURE-----
102 Version: GnuPG v1.4.7 (GNU/Linux)
103 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
104
105 iD8DBQFHO2/0uhJ+ozIKI5gRApqxAJ9f523yR0Xs6IX7mlfsvwb9rL6lKwCeI74G
106 QUpCYYjgvTMZ+iTcc6Xopr4=
107 =xATD
108 -----END PGP SIGNATURE-----
109 --
110 gentoo-announce@g.o mailing list