[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] Openhack story...http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.h tml
****** message to minivend-users from Mike Heins <mikeh@minivend.com> ******
Quoting Simon B (music@labyrinth.net.au):
> >
> > Do I understand it correctly that the patch provided on July 12th on
> Akopia's site
> > closes _all_ three vulnerabilties Mr. Mora has found ?
>
> Do these vulnerabilities relate to stores running under 3.14? Are there
> patches?
Most do not relate -- only the first one (detailed earlier in July)
does, and then only if you have a file like view_page.html.
I have released a Minivend 3.14-6 which fixes the vulnerablility, and
also strengthens open() calls in general.
You can make the major fix to most any version of Minivend 3 with the
simple addition of
return undef if ! -f $file;
above the open() in Vend::Util::readfile.
--
Akopia, Inc., 131 Willow Lane, Floor 2, Oxford, OH 45056
phone +1.513.523.8220 fax 7501 <heins@akopia.com>
If you like what you're gettin', keep doin' what you're doin'. -- Hector
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
