Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160618195224.BFA2A33201D@smtpvbsrv1.mitre.org>
Date: Sat, 18 Jun 2016 15:52:24 -0400 (EDT)
From: cve-assign@...re.org
To: scott@...agonie.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Simple Machines Forums - PHP Object Injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The first one appears to have been fixed in the release-2.1 branch, but the
> other one still exists.

> https://github.com/SimpleMachines/SMF2.1/blob/404fd5347951652624dfb72304ee38fcab98378f/Sources/Packages.php#L863-L873

Use CVE-2016-5726.


> https://github.com/SimpleMachines/SMF2.1/blob/19ee85ff8761b792ea3e9ed630a947f45f93ee68/Sources/LogInOut.php#L125-L129

Use CVE-2016-5727.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXZaYTAAoJEHb/MwWLVhi2/+YP+wc2CtBwbz9Qs67YW8t1UXuS
wxH2Dw7r3VLuGmD5UJAZBYt4+7kGd8FdMijD4ZNT3EdfraEkD45u8sXmbx0P0y7E
qX178dTVoi3h7sJHlTOa5agRmGqS1uLbzWWxXSolAU8X6/FFO/7/cTOJBCVW0z02
R1GNIVuf8mJA0mgGZ3DDJy0RV/dnco3VO4LoRKy2uQHnz3XHWaKnZkrmkBmt+eGK
ZevSmz4OVVf6B/w8rx4BcAajdlGWS89epGZSeAPnZeTPeixQE7E6uOhRaGPif0h4
0JP4GsDbKNUjod7DnVEKkDV0bHxc2Z+SEQyBihahtvdSxwe2W0N5ZdMejHbw2f8f
kN+0EYIGbOdPJYAP0c35PKLyfhlDrUwF/iPNx2k+tTls1T8qX//gb8PuZoF0k2Ro
zO9MYrZTlM819fN1Y4oqpUsB1dhDgcPstQx8ptqI6KDVJP61KUgRv/ADga9cLulo
nYPDfcqd+swJUZxRnUgeJuwmsYDF8BZTUQJmR48wTiBCQEqrQN4PSyD11RZLcJUv
lUrKhv6zINxknlNMPyb72NMIcSfW1iMwc0SiuYNElY+pSliBrPyZ0jC8+Bhpt0QL
eFvKwmGRTnoWp6Ly7iK2nI8uwp5zS0bCKrjw7ZpVmh97vslA2iA+7yxohqNV7po5
mGc8to+TR4jrcCoFZy2E
=SRzi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.