Hi all,
This is a notification that the remote file inclusion vulnerabilities reported
in CVE-2007-5631 have been fixed in PeopleAggregator v1.2pre6-release-55, and
are not exploitable if PHP's register_globals directive is disabled.
CVE entry: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5631
Notes from vendor: To be exploitable, the web server must be configured with
PHP's register_globals directive ON. To fix a vulnerable installation, either
turn register_globals OFF in php.ini or via the php_flag Apache option, or
upgrade to v1.2pre6-release-55.
Advisory blog post: http://www.myelin.co.nz/post/2007/11/12/#200711121
Upgrade instructions:
If installed via Subversion, 'svn update' in the root of your PeopleAggregator
install.
If installed via tarball, download the latest tarball from
http://update.peopleaggregator.org/dist/peopleaggregator-1.2pre6-release-
55.tar.gz and copy all files over those from your existing installation.
Regards,
Phillip Pearson
Broadband Mechanics