Your message dated Fri, 24 Oct 2008 15:56:14 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#470477: fixed in jspwiki 2.8.0-1
has caused the Debian Bug report #470477,
regarding CVE-2008-1231: Directory traversal vulnerability in Edit.jsp in
JSPWiki
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
470477: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470477
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: jspwiki
Severity: grave
Tags: security
Justification: user security hole
A vulnerability has been found in jspwiki:
Directory traversal vulnerability in Edit.jsp in JSPWiki 2.4.104 and
2.5.139 allows remote attackers to include and execute arbitrary local
.jsp files, and obtain sensitive information, via a .. (dot dot) in
the editor parameter.
See
http://marc.info/?l=bugtraq&m=120300554011544&w=2
for mor info.
Please mention the CVE id in the changelog.
--- End Message ---
--- Begin Message ---
Source: jspwiki
Source-Version: 2.8.0-1
We believe that the bug you reported is fixed in the latest version of
jspwiki, which is due to be installed in the Debian FTP archive:
jspwiki_2.8.0-1.diff.gz
to pool/contrib/j/jspwiki/jspwiki_2.8.0-1.diff.gz
jspwiki_2.8.0-1.dsc
to pool/contrib/j/jspwiki/jspwiki_2.8.0-1.dsc
jspwiki_2.8.0-1_all.deb
to pool/contrib/j/jspwiki/jspwiki_2.8.0-1_all.deb
jspwiki_2.8.0.orig.tar.gz
to pool/contrib/j/jspwiki/jspwiki_2.8.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kalle Kivimaa <[EMAIL PROTECTED]> (supplier of updated jspwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 21 Oct 2008 12:00:00 +0300
Source: jspwiki
Binary: jspwiki
Architecture: source all
Version: 2.8.0-1
Distribution: unstable
Urgency: low
Maintainer: Kalle Kivimaa <[EMAIL PROTECTED]>
Changed-By: Kalle Kivimaa <[EMAIL PROTECTED]>
Description:
jspwiki - WikiWikiWeb clone written in Java
Closes: 470477 489900 491176
Changes:
jspwiki (2.8.0-1) unstable; urgency=low
.
* New upstream release. Closes: #489900
* Moved package back to contrib as it requires jars which are
either not in Debian or in contrib. Closes: #491176
* New release contains fixes for the CVE-2008-1229 and CVE-2008-1231.
The default properties have been changed to reject .jsp uploads,
which fixes CVE-2008-1230 (a NEWS.Debian entry has also been added).
Closes: #470477
* control, rules and links modified to better support existing Debian
libraries.
* Added the missing jspwiki.properties
* ant build dependency moved to Build-Depends to conform to policy.
Checksums-Sha1:
8668b8c81c82f55d1a366ec899d7f6a2c605c62f 1112 jspwiki_2.8.0-1.dsc
eb061edd258b1fe6f8520f9330070d007e6e2929 14704144 jspwiki_2.8.0.orig.tar.gz
d8408054b364a994049fe212272e99e780c38456 52004 jspwiki_2.8.0-1.diff.gz
2e696784120d3085faa2be60ab42d895df774470 2541174 jspwiki_2.8.0-1_all.deb
Checksums-Sha256:
d1a8187a5575c3aa7822cc949be6a3c42cdee8eabd6be2e5c07ed7bac265a85c 1112
jspwiki_2.8.0-1.dsc
2445185323ad8b9656d3d94d055cdce1673532bc175c8b6d4fe0515f5f3020d0 14704144
jspwiki_2.8.0.orig.tar.gz
6c69fc036420af9206b9e7aea9cb44a123f6b5f2d0a47d323c66b7a76de23940 52004
jspwiki_2.8.0-1.diff.gz
c053c4bedf52851903fd5a7c8da2b6b6acaaf2e1577f60235d7f7eb8f31266cd 2541174
jspwiki_2.8.0-1_all.deb
Files:
da3a081efbfcaa47b77d08443d9bee1a 1112 contrib/web optional jspwiki_2.8.0-1.dsc
b65f8ae4bbed9791045b40c9643ebbb8 14704144 contrib/web optional
jspwiki_2.8.0.orig.tar.gz
d01fdc16399831aa206be4084d0e9e0d 52004 contrib/web optional
jspwiki_2.8.0-1.diff.gz
ba14133259c069e94f537d21546e975a 2541174 contrib/web optional
jspwiki_2.8.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj9t7EACgkQkuYKi19tgBV8mACffnHFdAnkIr9YWF5PS8qm41Wq
5KIAnRWytd59bCh6JELdRXfFOO4tsOOo
=Yflt
-----END PGP SIGNATURE-----
--- End Message ---
