Your message dated Fri, 18 Jul 2008 12:17:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#485562: fixed in twiki 1:4.1.2-3.2
has caused the Debian Bug report #485562,
regarding twiki: configure script access badly protected
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
485562: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485562
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole
In current state of the Debian package, if nothing is changed manually to the
default setup configured by the package, then TWiki's configure script is
accessible easily to unauthorized people, thus exposing (incl. changing it) the
configuration of TWiki.For instance, it would be possible to change settings
which may compromize the wiki's functionning (including commands executed as
www-data).
Full details have already be notified (by me) to the maintainer and the
security team through direct emails.
A proposed patch to address this issue was also provided through direct emails
too.
Unfortunately, maintainer seems too busy to be able to acknowledge all that at
the moment.
So I'm filing this ticket so that appropriate mesures be taken regarding the
possible inclusion of such a security risk in coming stable release.
Hope this helps,
Best regards.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages twiki depends on:
ii apache2.2-common 2.2.8-4 Next generation, scalable, extenda
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
pn libalgorithm-diff-perl <none> (no description available)
ii libcgi-session-perl 4.30-1 Persistent session data in CGI app
ii libdigest-sha1-perl 2.11-2+b1 NIST SHA-1 message digest algorith
ii liberror-perl 0.17-1 Perl module for error/exception ha
ii libhtml-parser-perl 3.56-1+b1 A collection of modules that parse
pn liblocale-maketext-lexicon <none> (no description available)
pn libtext-diff-perl <none> (no description available)
ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin
ii perl [libmime-base64-perl] 5.10.0-10 Larry Wall's Practical Extraction
ii perl-modules [libnet-perl] 5.10.0-10 Core Perl modules
ii rcs 5.7-23 The GNU Revision Control System
twiki recommends no packages.
--- End Message ---
--- Begin Message ---
Source: twiki
Source-Version: 1:4.1.2-3.2
We believe that the bug you reported is fixed in the latest version of
twiki, which is due to be installed in the Debian FTP archive:
twiki_4.1.2-3.2.diff.gz
to pool/main/t/twiki/twiki_4.1.2-3.2.diff.gz
twiki_4.1.2-3.2.dsc
to pool/main/t/twiki/twiki_4.1.2-3.2.dsc
twiki_4.1.2-3.2_all.deb
to pool/main/t/twiki/twiki_4.1.2-3.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Olivier Berger <[EMAIL PROTECTED]> (supplier of updated twiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Jul 2008 15:04:09 +0200
Source: twiki
Binary: twiki
Architecture: source all
Version: 1:4.1.2-3.2
Distribution: unstable
Urgency: high
Maintainer: Sven Dowideit <[EMAIL PROTECTED]>
Changed-By: Olivier Berger <[EMAIL PROTECTED]>
Description:
twiki - A Web Based Collaboration Platform
Closes: 458573 485562 488377 488383 488387 488712 488758 488893 488933 489147
489439 489527 489530
Changes:
twiki (1:4.1.2-3.2) unstable; urgency=high
.
* Non-maintainer upload.
* Protect configure script which used to be world accessible as a
trivial user : will now be accessible only from localhost as a
specific user, which is configured through Debconf. (Closes: #485562)
* Added spanish translation , thanks to Fernando C. Estrada (Closes:
#458573).
* Improved docs in NEWS.Debian and README.Debian
* Improved wording of debconf templates
* Updated debconf translations following call for updates (thanks to
Christian Perrier) :
- Galician : Closes: #488377
- Vietnamese : Closes: #488383
- Norwegian Bokmål. Closes: #488387
- Romanian : Closes: #488712
- French : Closes: #488758
- Portuguese : Closes: #488893
- Basque : Closes: #488933
- Czech : Closes: #489439
- German : Closes: #489527
- Russian : Closes: #489530
* Removed obsolete br.po (see pt_BR.po instead) translation file.
* Add new Finnish translation of the debconf templates, thanks to Esko
Arajärvi (Closes: #489147).
* Properly clean after dpatch
Checksums-Sha1:
afe7c8a1e464887c0b927f6fab5c45b706574ffa 972 twiki_4.1.2-3.2.dsc
01c0dce5bd46694bc08eb870e771f6597686d94f 50431 twiki_4.1.2-3.2.diff.gz
f481c17f7a8a982a3082b8a3a0b2bf3da3b6abda 4687620 twiki_4.1.2-3.2_all.deb
Checksums-Sha256:
e322f717f47cdd3f1bbbcf6d6b8a3f043d3d764959f5456b2f09769c5d19d459 972
twiki_4.1.2-3.2.dsc
a9507ef1000dd977f57d54cdd17bc8c54bed8ea08c3302e86f73b5d95936781f 50431
twiki_4.1.2-3.2.diff.gz
df48ea1594570f2d712637d8d8203d47c03f295623e700474a70e17907777c3e 4687620
twiki_4.1.2-3.2_all.deb
Files:
f675694e6cf8e6c496ac3a89948f7d55 972 web optional twiki_4.1.2-3.2.dsc
dd2ea83dc21bcd8fd572924b2a8016c1 50431 web optional twiki_4.1.2-3.2.diff.gz
256ee04f30b3a70f6dc74a72aa520ce3 4687620 web optional twiki_4.1.2-3.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkiAg9kACgkQ1OXtrMAUPS01rACfWX2hBS23o220ySSOORZFeVNg
L0IAoKUjL2G5lcJQ/alAPE0o4BnEQS64
=mBAm
-----END PGP SIGNATURE-----
--- End Message ---
