Bug#531614: marked as done (Two security issues)

Debian Bug Tracking System Fri, 12 Jun 2009 21:54:56 -0700

Your message dated Fri, 12 Jun 2009 21:50:22 -0700
with message-id <f4438a6a0906122150n13578deo7404fb842621d...@mail.gmail.com>
and subject line Re: Bug#531614: Two security issues
has caused the Debian Bug report #531614,
regarding Two security issues
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
531614: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531614
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: torrentflux
Severity: grave
Tags: security

The following security issues have been reported against torrentflux:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6584
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6585

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-2-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages torrentflux depends on:
pn  bittornado                    <none>     (no description available)
pn  dbconfig-common               <none>     (no description available)
ii  debconf [debconf-2.0]         1.5.26     Debian configuration management sy
pn  libapache2-mod-php5 | libapac <none>     (no description available)
pn  libphp-adodb                  <none>     (no description available)
pn  php5-mysql | php5-mysqli | ph <none>     (no description available)
ii  python                        2.5.4-2    An interactive high-level object-o
ii  zip                           3.0-1      Archiver for .zip files

Versions of packages torrentflux recommends:
pn  mysql-client                  <none>     (no description available)
pn  mysql-server                  <none>     (no description available)

torrentflux suggests no packages.

--- End Message ---

--- Begin Message ---

On Tue, Jun 2, 2009 at 11:45 AM, Moritz Muehlenhoff<j...@debian.org> wrote:
> The following security issues have been reported against torrentflux:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6584
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6585

Thanks for the report. I think I looked into these issues when they
first came up.

Anyway, I looked into them now and I don't believe that the
torrentflux in Debian is affected. This vulnerability is due to the
upstream's default directory layout of storing the downloads directory
under the html directory, so that downloaded php files will be
executed by the web server. In the Debian package's installation, the
downloads are stored in /var/cache/torrentflux while the html/php
files are served from /usr/share/torrentflux/www, so the webserver
will never execute downloaded files.

Since both reports stem from the ability to execute php files in the
downloads directory, both do not affect the Debian torrentflux
installation.

If you think I made a mistake, please reopen this report.

Thanks,
Cameron

--- End Message ---

Bug#531614: marked as done (Two security issues)

Reply via email to