Le mardi 10 juin 2008 à 17:39 +1000, Sven Dowideit a écrit :
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue.
OK, here I strongly disagree.
You say you don't see as a "major issue" that anyone on the Internet can
access and change a TWiki instance's configuration as user
TWikiGuest/guest, as long as the server is on the Net (unless the admin
has manually tweaked the apache config) ?!? Maybe someone will provide
more insightful comments, now the issue is public ?
It may not be "major"... but still, it's quite an issue... right ? Why
is there any such Apache config, whereas limiting to local user's access
for configure should be a *minimum* provision for confidentiality, at
least, for instance (even though that's not enough IMHO)...
Leaving the current apache config as such is nonsense for default
installation (in particular the "Satisfy Any"), IMHO.
What do you propose to address it ?
Feel free to downgrade the severity or otherwise change the ticket's
attributes. But I'm sure I would restore it as currently is.
no-one on the security team suggested it was
either, leading me to believe that we had a consensus.
No one explicitely said yes or no, AFAICT... this is far from consensus
(or I missed some emails). All I could read from someone from security
team was :
--------
From: Florian Weimer <[EMAIL PROTECTED]>
To: Olivier Berger <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], Sven Dowideit <[EMAIL PROTECTED]>, Sven Dowideit <[EMAIL
PROTECTED]>
Subjet: Re: Security issue for Twiki's configure script execution possible by
default
Date: Wed, 28 May 2008 20:29:36 +0200
* Olivier Berger:
I may be wrong, but I don't think I got an ACK (even to say "no time
to read yet") that this message was received.
I had hoped the maintainer chimed in.
This problem seems to be known by the maintainer, as discussed in
http://twiki.org/cgi-bin/view/Codev/TWikiOnDebian (comments dated nov.
2007), AFAICT... Maybe he even prepared something in order to address
this problem, which for some reason was not uploaded to Debian yet, as
the packaging changelog seems to indicate :
http://svn.twiki.org/svn/twiki/trunk/core/tools/pkg/debian/changelog :
"* change configure to use any valid-user - TWikiGuest is silly"
Sven, can you comment on this?
Is anybody from the security team familiar with Apache ACLs and can
propose a fix?
----------------
Then no more, the rest was between you and me.
They primarily asked for your opinion... then nothing more, as I suppose
they were probably too busy already on other problems.
They didn't respond again when you finally responded... (which leaves us
in doubt that anyone in the security team would be familiar with Apache
ACLs ;-)).
I guessed you were comforted in your opinion by their lack of reaction,
which is yet no indication that they would agree.
Sven
I initially choosed not to provide more details in the report in the BTS
about the problem, hoping that you agreed it was problematic, and would
be willing to welcome help. But it looks like we got some
misunderstanding here.
Too bad I'm forced to expose more details, as there doesn't seem to be
consensus (maybe a problem with communication through email which
renders things more difficult ?), and the only way out will be
discussing it in details and in public I think.
I proposed a NMU patch (maybe not perfect, but much less worse, IMHO
than current state of things), and also a bit later warned you there
would be a problem. You added :
Also, the patch was found, by you to be defective. So I was expecting to
see another round.
... as I explained, it would only need some slight reorganization of the
postinst code to separate the configure and reconfigure cases in the
code flow (which would be easy in principle for the maintainer would he
acknowledge the NMU, for instance ?)
I expect from an active maintainer that he/she's capable of improving
the proposed patches sent by others, instead of going idle until the
perfect patch is provided. I know you may think I'm aggressive here and
criticizing your job as a maintainer... I think it shouldn't be taken
too personally... I understand you may be too busy to be able to do "the
right thing"... as I am too, and much of us maintainers... but, hey...
that's no excuse for neglecting the package's security for our users. In
the end, better no package, that poorly maintained package ?
It seems that you don't think the problem deserves urgent attention
now. May I remind you that a freeze is coming for the next stable
release of Debian ?
Leaving the package in its current state for a stable release is
unacceptable from *my* standards of quality (hence my RC bug report).
But I'm not the maintainer, nor a DD... I may just propose help, would
you accept it... (and cannot decently commit myself for more ATM, btw).
Anyway, I was also going to send you another mail proposing my help for
co-maintenance maybe, as you seemed not very responsive with your
packaging in general (which I fully understand from a volunteer
maintainer point of view), and got your response in between... I hope we
can avoid fighting, and try and collaborate instead towards a better
packaging.
Let's see what the security team proposes too (hoping they're
available), and still reading us.
I sincerely hope we can achieve some "not yet perfect maybe package" but
still "secure enough", and still keep TWiki in Debian testing until
lenny is released.
Best regards,
