This is _not_ a grave severity issue in the debian package, specifically because configure (as mentioned in the advisory) is locked down using apache to 1 localhost 2 an admin user that is created by the installer.
Sven Brad Krane wrote: > Package: twiki > Version: 1:4.0.5-9.1 > Severity: grave > Tags: security > Justification: user security hole > > > TWiki command execution vulnerability found in current version. US-CERT > Vulnerability Note: > http://www.kb.cert.org/vuls/id/362012 and TWiki Security Alert: > http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195 > > > -- System Information: > Debian Release: 4.0 > APT prefers oldstable > APT policy: (500, 'oldstable'), (500, 'stable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.18-6-686 > Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) > > Versions of packages twiki depends on: > ii apache-common 1.3.34-4.1+etch1 support files for all Apache > webse > ii debconf [debconf-2.0] 1.5.11etch2 Debian configuration management > sy > ii libalgorithm-diff-perl 1.19.01-2 a perl library for finding > Longest > ii libcgi-session-perl 4.14-1 Persistent session data in CGI > app > ii libdigest-sha1-perl 2.11-1 NIST SHA-1 message digest > algorith > ii liberror-perl 0.15-8 Perl module for error/exception > ha > ii libhtml-parser-perl 3.55-1 A collection of modules that > parse > ii liblocale-maketext-lexi 0.62-1 Lexicon-handling backends for > "Loc > ii libtext-diff-perl 0.35-2 Perform diffs on files and > record > ii liburi-perl 1.35-2 Manipulates and accesses URI > strin > ii perl [libmime-base64-pe 5.8.8-7etch3 Larry Wall's Practical > Extraction > ii perl-modules [libnet-pe 5.8.8-7etch3 Core Perl modules > ii rcs 5.7-18 The GNU Revision Control System > > twiki recommends no packages. > > -- debconf information excluded > -- Consulting wiki Engineer Sven Dowideit - http://fosiki.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
