cakephp (1.3.15-1+deb7u2build0.14.04.1) trusty-security; urgency=medium
* fake sync from Debian
cakephp (1.3.15-1+deb7u2) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2016-4793:
The getClientIP function allowed remote attackers to spoof their IP
address. This vulnerability could be used to bypass access control lists
to get access to sensitive data, or lead to higher severity vulnerabilities
if untrusted data returned by getClientIP() is treated as safe and used
without appropriate sanitization within SQL queries, system command calls
etc.
cakephp (1.3.15-1+deb7u1) wheezy-security; urgency=medium
* Address SSRF (Server Side Request Forgery) attack by
ensuring included files are "regular" (eg. `./foo.xml`) rather than merely
existing (eg. `/dev/urandom`, etc.). (Closes: #832283)
-- Tyler Hicks <email address hidden> Wed, 15 Mar 2017 20:37:24 +0000
