[RCD] Security updates 0.8.6 and 0.7.3 for save-pref vulnerability
bubble at hoster-ok.com
Fri Mar 29 07:48:11 CET 2013
28.03.2013 12:13, A.L.E.C wrote:
> On 03/28/2013 09:54 AM, Vladislav Bogdanov wrote:
>>> Patch for 0.6: http://ow.ly/jtQNd
>> Are previous versions affected?
>> Looking at my 0.4 installation, save_prefs is implemented absolutely
>> differently, there are lists of prefs for each section, and they are
>> cherry-picked from a what client sends.
It is r3787 (Mon, 28 Jun 2010)
with local patches to be precise.
> 0.4 is vulnerable too, you're looking in a wrong place. The issue is in
program/steps/settings/save_prefs.inc in my tree.
This one -
This revision uses static lists of per-section prefs. I can't believe it
> We don't support such very old releases.
I understand. You go toooo fast for me to follow ;) Keep going!
It would be nice if you dig exact commit which introduced this.
More information about the dev