On Fri, Jun 12, 2009 at 09:50:22PM -0700, Cameron Dale wrote:
> On Tue, Jun 2, 2009 at 11:45 AM, Moritz Muehlenhoff<j...@debian.org> wrote:
> > The following security issues have been reported against torrentflux:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6584
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6585
>
> Thanks for the report. I think I looked into these issues when they
> first came up.
>
> Anyway, I looked into them now and I don't believe that the
> torrentflux in Debian is affected. This vulnerability is due to the
> upstream's default directory layout of storing the downloads directory
> under the html directory, so that downloaded php files will be
> executed by the web server. In the Debian package's installation, the
> downloads are stored in /var/cache/torrentflux while the html/php
> files are served from /usr/share/torrentflux/www, so the webserver
> will never execute downloaded files.
>
> Since both reports stem from the ability to execute php files in the
> downloads directory, both do not affect the Debian torrentflux
> installation.
>
> If you think I made a mistake, please reopen this report.
Thanks, I'll add this to the Debian Security Tracker.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
