Your message dated Tue, 20 Jan 2015 15:19:06 +0000 with message-id <e1ydaaa-00031x...@franck.debian.org> and subject line Bug#773751: fixed in fex 20150120-1 has caused the Debian Bug report #773751, regarding race condition between fur and fex_cleanup to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773751: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773751 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: fex Version: 20140917-1 Severity: serious Tags: security patch upstream pending confirmed jessie As upstream has released a new version of the fex package which closes a security issue and there is no CVE assigned, we'll use this bug to track the issue. Problem is: a race condition between fur and fex_cleanup may create internal instead of external user. With the default configuration no auto registration is possible and no exploit is possible. You must have allowed user self registration via fex.ph. Background is a timing race condition that fex_cleanup will throw away the "external user" flag if the link a user is sent is not clicked/visited before fex_cleanup is run (i.e. usually next day). The user account will then be created with full internal user privileges instead of the reduced externel priv. set. The new release is currently being prepared for uploading into Debian. Some minor updates that have nothing to do with the issue at hand are currently being discussed between me and upstream. I'd guess we can have a new fixed version in unstable before end of this year - maybe even before Xmas. As we don't have a version in stable, I'll prepare uploads of wheezy-backports and squeeze-backports once we're in jessie with the new version. Since the other security fixes haven't been backported to oldstable (yet), it seems not very logical to start with this (rather minor) one. Best, Kilian
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: fex Source-Version: 20150120-1 We believe that the bug you reported is fixed in the latest version of fex, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kilian Krause <kil...@debian.org> (supplier of updated fex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 20 Jan 2015 15:56:05 +0100 Source: fex Binary: fex fex-utils Architecture: source all Version: 20150120-1 Distribution: unstable Urgency: high Maintainer: Kilian Krause <kil...@debian.org> Changed-By: Kilian Krause <kil...@debian.org> Description: fex - web service for transferring very large files fex-utils - web service for transferring very large files (utils) Closes: 773751 774854 Changes: fex (20150120-1) unstable; urgency=high . * New upstream release: 20150120 (Closes: #773751) - SECURITY FIX: race condition between fur and fex_cleanup may create internal instead of external user - several small bugs are fixed - fexwall also mails to sub and group users - optional HTTP basic authentication for htdoc/ directory - several SSL/TLS related fixes including default TLS for https connections - locale selection in upload form, too - better SSL configuration for fexsend,fexget,sexsend - autoview option for fexget - save-or-display (MIME) option for download - new config variable $mail_authid to (dis)allow mailing of forgotten auth-IDs * Update lintian override to ignore :sexsend:sexget: symlink which is interpreted by fexsrv directly * Recommend ca-certificates to verify remote server in fex-utils * Don't fail in postinst while looking up fex in trusted_users (Closes: #774854) Checksums-Sha1: 56eef6cbcd725d710c90c1e62c38c6e0d47151e3 1875 fex_20150120-1.dsc 02bc8984d182e6c91cc3cdceeb5ddd892dc3b2c7 329119 fex_20150120.orig.tar.gz 7f83c372858406c26855725bf47702be67bd56d7 27784 fex_20150120-1.debian.tar.xz cfea967afd777b9ba048ffb7e10cf824abe9f1ae 265908 fex_20150120-1_all.deb f8e87ce8c2c20de53a488b2e6f41511f6d01feac 66466 fex-utils_20150120-1_all.deb Checksums-Sha256: 7b361017e16b491a2909deb1e388215217697e808cf99732748b604bc4b3e3bd 1875 fex_20150120-1.dsc a6c3c4fd37bcc9be481f57a3ceb8242c3ffc6cc3ec73f4fd5b50f6c48d24ffdd 329119 fex_20150120.orig.tar.gz ab88804d28ee80e36f70338e97925bf36d002ee59436d8b0182a9aa9ce2086bd 27784 fex_20150120-1.debian.tar.xz a33ddf118d99651074635177973b3e1a8b7c3dd3e6f30fd09ae5a8b7ee3a5109 265908 fex_20150120-1_all.deb a45c2f2725dc4803404342e6b41d191ffde64d0c9a5e9fc8c4561eab84127c41 66466 fex-utils_20150120-1_all.deb Files: 43026754520bf627f052e8c89e6bb76a 1875 non-free/web optional fex_20150120-1.dsc 9d163d11f085ad7145552a83faf01863 329119 non-free/web optional fex_20150120.orig.tar.gz 016116044fd22fab03eb890030e22c91 27784 non-free/web optional fex_20150120-1.debian.tar.xz 146399f321fe3aa97bb0dfd16628b715 265908 non-free/web optional fex_20150120-1_all.deb 515c8b3cd37d54447298b19c22c94836 66466 non-free/web optional fex-utils_20150120-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIVAwUBVL5twu91jq9J+kNcAQhY0w/9FqDsdHb8j+Y0bOiZbo90igTGctA79f4B WKCYA6CnTC3FIRIm6fZRJsM0cibmYSW5I9d9NiRDkGO4mbVgSOSN7lvUDO+DZNQ9 dusPUy7WA52EvcmNscKbndKMEQ3rG6C8brLSMZdqS5Bn3eNCgyPmDZADjNrgeMMp E3hgJvupBHVcNvL1h9PW5ZWciWkZfnhZPy/XQ9s2XQekzzLKWdc/xhBDRiGgiZTL bkRjPx4iNorNLTKr+7+red0k/g4Q7O1Hx8a2Lm35y8kAg/hsH8ZMdyOensYMiity 5F9/dhbPYSbt3qOb/gAi5EaEo6IZvwPrfFf8VGOjKS4asOKNPMoyncJ4fELXDXWP 0QAmPccRvsi9oEYognoQoFjgWf03D5mPN/zcWtIYIVpHFOacwnp5rSmhIwoGan7i rhrzf9rSnPHGBU2ogPZXjo7Zlss722JV+P5Ur/oc6KuWuJdDMa2eMwxyK+31ROrK 6POgUg+2CX04kKrs4sAlPeIE2QR+1wKScwOP8/4hfleijx0Q1aQ3jXJFSG4FSChT 3RmmR0EMLf6LCsNkxWT8XK0Gr60xdaqIskuw6u6jNA4nMn6f74f7uC0cyMPpNMOt iezAK27LgB0+Vf6oWU7hmOVV56AoNP6tJdu2njqvGqYtaMAxQg5VzMY9+mSvqI56 RdLwEEYj5Lg= =GLaX -----END PGP SIGNATURE-----
--- End Message ---
