Ubuntu
tikiwiki package

  1. Bug #180702
  2. Comment #4

Comment 4 for bug 180702

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tikiwiki - 1.9.7+dfsg-1ubuntu1.2

---------------
tikiwiki (1.9.7+dfsg-1ubuntu1.2) feisty-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE: (LP: #180702)
    + CVE 2007-6526: Cross-site scripting (XSS) vulnerability in tiki-special_chars.php
      in TikiWiki before 1.9.9 allows remote attackers to inject arbitrary web script or
      HTML via the area_name parameter.
    + CVE 2007-6528: Directory traversal vulnerability in tiki-listmovies.php in TikiWiki
      before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and
      modified filename in the movie parameter.
    + CVE 2007-6529: Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have
      unknown impact and attack vectors involving tiki-edit_css.php,
      tiki-g-admin_shared_source.php.
  * debian/patches/91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch
    - Applied patch by upstream
  * References
    - CVE-2007-6526
    - CVE-2007-6528
    - CVE-2007-6529

  [ Jamie Strandboge ]
  * Use dash-compliant syntax in debian/rules

 -- Emanuele Gentili <email address hidden> Sun, 17 Feb 2008 18:12:35 +0100