|
Message-ID: <20141210192328.GL386@kludge.henri.nerv.fi> Date: Wed, 10 Dec 2014 21:23:28 +0200 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Subject: CVE request: MyBB 1.8.3 & 1.6.16 security releases -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can I get multiple CVEs for issues fixed in MyBB 1.8.3 & 1.6.16, thank you. http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/ 1.8.3 """ The vulnerabilities are: High Risk: A SQL injection vulnerability in theme selection (reported by StefanT) Medium Risk: A XSS vulnerability in calender.php (reported by -Acid) Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir) Low Risk: A XSS vulnerability related to post icons (reported by Destroy666) Low Risk: unserialize may call PHP magic methods (reported by chtg) Low Risk: PHP setting request_order can break register globals handling (reported by chtg) Additionally we’ve fixed an issue with the video MyCode introduced with MyBB 1.8.2 (#1625) and revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add enhanced options to protect the Admin CP like two factor authentication with one of the next maintenance releases. """ 1.6.16 """ The vulnerabilities are: Low Risk: A XSS vulnerability related to post icons (reported by Destroy666) Low Risk: A XSS vulnerability in admin/modules/style/templates.php Low Risk: A XSS vulnerability in admin/modules/config/languages.php Low Risk: unserialize may call magic methods (reported by chtg) Low Risk: request_order can break register globals handling (reported by chtg) Additionally we’ve revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). """ - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlSInbAACgkQXf6hBi6kbk+HHwCgxg2yCr90kZnJRyuuEEagOJYS P64AnjRISYE3GfVkpHNkLpYCtwkoqB6O =HciC -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.