Your message dated Tue, 24 Mar 2009 19:53:39 +0000
with message-id <e1lmcgt-0000ll...@ries.debian.org>
and subject line Bug#518768: fixed in roundup 1.4.4-4+lenny1
has caused the Debian Bug report #518768,
regarding roundup: privilege escalation in EditCSVAction
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
518768: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518768
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: roundup
Version: 1.2.1-5+etch2
Severity: grave
Tags: security
Justification: user security hole
Hi,
Daniel Diniz discovered that EditCSVAction does not include appropriate
permission checks allowing any user to edit any item in a class she has
create / edit privileges for. This includes, amongst others, modifying
content of existing messages or issues, changing user settings or adding
roles to existing users which allows to gain admin privileges
The attack may be done using specially crafted but simple URLs. I'm not
adding an example since I'm not sure this should be made public yet. I
will provide examples to the package maintainer and the security team on
request though.
See upstream issue 2550521 [1] for more details and the original report
by Daniel - that issue mentions editing saved queries only though as the
real impact of the bug was not known at that time.
Afaik, there is no CVE for this issue yet.
Cheers,
Sebastian
[1] http://issues.roundup-tracker.org/issue2550521
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: roundup
Source-Version: 1.4.4-4+lenny1
We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:
roundup_1.4.4-4+lenny1.diff.gz
to pool/main/r/roundup/roundup_1.4.4-4+lenny1.diff.gz
roundup_1.4.4-4+lenny1.dsc
to pool/main/r/roundup/roundup_1.4.4-4+lenny1.dsc
roundup_1.4.4-4+lenny1_all.deb
to pool/main/r/roundup/roundup_1.4.4-4+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Toni Mueller <t...@debian.org> (supplier of updated roundup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Mar 2009 21:51:12 +0100
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Toni Mueller <t...@debian.org>
Changed-By: Toni Mueller <t...@debian.org>
Description:
roundup - an issue-tracking system
Closes: 518669 518768
Changes:
roundup (1.4.4-4+lenny1) stable-security; urgency=high
.
* fix EditCSVAction and other security issues (closes: #518768)
Special thanks for this to Daniel (ajax) Diniz, Richard Jones,
and, by extension, to Stefan Seefeld.
Upstream issue: #2550529
* unbreak copying issue (closes: #518669)
* fix SMTP-TLS (upstream issue: #2484879)
* fix crashes on bogus pagination request (upstream issue: #2550530)
* fix a search problem (upstream issue: #2550505)
Checksums-Sha1:
2d0a968cc727e925ebef3160cc9653a83e4316db 1052 roundup_1.4.4-4+lenny1.dsc
d260eb90113d36b07d0b7ef42b1d81450d9bc2e7 31251 roundup_1.4.4-4+lenny1.diff.gz
7c43c7ce56cb16057a0f0f349c2805a5580c8845 1278600 roundup_1.4.4-4+lenny1_all.deb
Checksums-Sha256:
e2f9bb0d2e64747bd27948cbf635b568faf7bbce043e36074dc1f9a3121ed691 1052
roundup_1.4.4-4+lenny1.dsc
6c1f7508b034404dd8cbecef6a84faee8087c373611f984164c6d35ced65bba2 31251
roundup_1.4.4-4+lenny1.diff.gz
90a5b64fafd471beccea5e819d4a897fb54edbb69daf6d9795db1a6a58a66794 1278600
roundup_1.4.4-4+lenny1_all.deb
Files:
06b5d9261eae320131695bddb392d5c6 1052 web optional roundup_1.4.4-4+lenny1.dsc
28ebe811e6792bc75af81f6da4b62633 31251 web optional
roundup_1.4.4-4+lenny1.diff.gz
35c30c9d48d1d264cd8564a6ab971c03 1278600 web optional
roundup_1.4.4-4+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJxsoEfoEUoHXLGtIRArIDAJ9XJhXXhmr4pT0obRnYlIVtP8n3HwCgxBBS
xcziq+6mGlhmzjq4zSIcgrs=
=OSEN
-----END PGP SIGNATURE-----
--- End Message ---
