Package: fex Version: 20140917-1 Severity: serious Tags: security patch upstream pending confirmed jessie
As upstream has released a new version of the fex package which closes a security issue and there is no CVE assigned, we'll use this bug to track the issue. Problem is: a race condition between fur and fex_cleanup may create internal instead of external user. With the default configuration no auto registration is possible and no exploit is possible. You must have allowed user self registration via fex.ph. Background is a timing race condition that fex_cleanup will throw away the "external user" flag if the link a user is sent is not clicked/visited before fex_cleanup is run (i.e. usually next day). The user account will then be created with full internal user privileges instead of the reduced externel priv. set. The new release is currently being prepared for uploading into Debian. Some minor updates that have nothing to do with the issue at hand are currently being discussed between me and upstream. I'd guess we can have a new fixed version in unstable before end of this year - maybe even before Xmas. As we don't have a version in stable, I'll prepare uploads of wheezy-backports and squeeze-backports once we're in jessie with the new version. Since the other security fixes haven't been backported to oldstable (yet), it seems not very logical to start with this (rather minor) one. Best, Kilian
signature.asc
Description: Digital signature
