CVE-2008-0173

Name	CVE-2008-0173
Source	CVE (in NVD)
Description	SQL injection vulnerability in Gforge 4.6.99 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified parameters, related to RSS exports.
References	DSA-1459-1
NVD severity	high
Debian/stable	not vulnerable
Debian/testing	not vulnerable
Debian/unstable	not vulnerable

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
gforge (PTS)	etch, etch (security)	4.5.14-22etch8	fixed
	lenny, sid	4.7~rc2-6	fixed

The next table lists affected binary packages.

Binary Package	Release	Version	Status	Architecures
gforge, gforge-common, gforge-db-postgresql, gforge-dns-bind9, gforge-ftp-proftpd, gforge-ldap-openldap, gforge-lists-mailman, gforge-mta-courier, gforge-mta-exim, gforge-mta-exim4, gforge-mta-postfix, gforge-shell-ldap, gforge-shell-postgresql, gforge-web-apache	etch, etch (security)	4.5.14-22etch8	fixed	all
gforge, gforge-common, gforge-db-postgresql, gforge-dns-bind9, gforge-ftp-proftpd, gforge-lists-mailman, gforge-mta-courier, gforge-mta-exim4, gforge-mta-postfix, gforge-plugin-mediawiki, gforge-plugin-scmcvs, gforge-plugin-scmsvn, gforge-shell-postgresql, gforge-web-apache, gforge-web-apache2	lenny, sid	4.7~rc2-6	fixed	all

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
gforge	source	(unstable)	4.6.99+svn6330-1	medium
gforge	source	etch	4.5.14-22etch4	unknown	DSA-1459-1
gforge	source	sarge	3.1-31sarge5	unknown	DSA-1459-1

Notes

this is exploitable by unauthenticated users
Requires register_globals to be On, unsupported in lenny+sid.
In lenny+sid these scripts just don't work, so no security issue.
In etch+sarge we support gforge with rg On, unfortunately.

Home - Testing Security Team - Debian Security - Imprint