Hideki Yamane wrote: > Package: security.debian.org > Severity: important > > > I cannot found contact address of alioth's administrator and > pseudo-packages in BTS (http://www.debian.org/Bugs/pseudo-packages), > so I'll send to this package.
I'm copying wiggy and lolando who operate the Alioth system. wiggy, lolando, please take care of this bug report > There are vulnerabilities in gforge as I've posted to BTS #291718 > and so it affects alioth. For example, if you browse with crafted > URL like this, you'll see alioth's /home > > http://alioth.debian.org/scm/controller.php?group_id=30390&dir=/cvsroot/libpst/CVSROOT/../../../../../..//home > (Can you see this?) > > Please update alioth with updated gforge package or use workaround. > > > Second, it's not vulnerability but not good thing as some kind > of information leak. If alioth's php script get error, it appears > in its page with script's location and line number. I think that > you should change php.ini to output its errors to not pages but > syslog or log files. > > > Third, please add alioth pseudo-package in BTS :-) Regards, Joey -- GNU does not eliminate all the world's problems, only some of them. -- The GNU Manifesto Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
