Package: security.debian.org Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I cannot found contact address of alioth's administrator and pseudo-packages in BTS (http://www.debian.org/Bugs/pseudo-packages), so I'll send to this package. There are vulnerabilities in gforge as I've posted to BTS #291718 and so it affects alioth. For example, if you browse with crafted URL like this, you'll see alioth's /home http://alioth.debian.org/scm/controller.php?group_id=30390&dir=/cvsroot/libpst/CVSROOT/../../../../../..//home (Can you see this?) Please update alioth with updated gforge package or use workaround. Second, it's not vulnerability but not good thing as some kind of information leak. If alioth's php script get error, it appears in its page with script's location and line number. I think that you should change php.ini to output its errors to not pages but syslog or log files. Third, please add alioth pseudo-package in BTS :-) - -- Regards, Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB8ycHIu0hy8THJksRAjKoAJ94NHOMS0kJ/Q+T+bwT9H1rjX3NYQCgsDeo UGzzXIKR7QQU29cc7emMHQU= =ffpj -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
