Bug#815111: marked as done (didiwiki: CVE-2013-7448: path traversal vulnerability)

[Debian Bug Tracking System]

Your message dated Sun, 21 Feb 2016 12:17:45 +0000
with message-id <e1axsxn-0006cf...@franck.debian.org>
and subject line Bug#815111: fixed in didiwiki 0.5-11+deb7u1
has caused the Debian Bug report #815111,
regarding didiwiki: CVE-2013-7448: path traversal vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
815111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815111
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: didiwiki
Version: 0.5-11
Tags: patch + pending
Severity: critical

A user has privately sent me a security patch for the didiwiki
package, that I maintain. The current installation allows any of the
system's the user to access any file on the filesystem. To reproduce
it:
----
apt-get install didiwiki

curl http://localhost:8000/api/page/get?page=/etc/passwd
----

A patch was also provided by Alexander Izmailov, and will be applied
in the upcoming update. Thank you for that!

A CVE request has been requested. The Debian security team has been
notified too.

A version correcting this error will be uploaded soon.

 Ignace M

--- End Message ---

--- Begin Message ---

Source: didiwiki
Source-Version: 0.5-11+deb7u1

We believe that the bug you reported is fixed in the latest version of
didiwiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 815...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated didiwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Feb 2016 15:25:26 +0100
Source: didiwiki
Binary: didiwiki
Architecture: source amd64
Version: 0.5-11+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Ignace Mouzannar <mouzan...@gmail.com>
Changed-By: Sebastien Delafond <s...@debian.org>
Description: 
 didiwiki   - simple wiki implementation with built-in webserver
Closes: 815111
Changes: 
 didiwiki (0.5-11+deb7u1) wheezy-security; urgency=high
 .
   * NMU by the Security Team; thanks to Ignace Mouzannar
     <mouzan...@gmail.com> and Alexander Izmailov <yaro...@gmail.com> for
     providing the patch for CVE-2013-7448, correcting a major security
     issue allowing didiwiki to display any file on the
     filesystem. (Closes: #815111)
Checksums-Sha1: 
 886af9719e00744714ac6c3135c4afd85aeb383c 1341 didiwiki_0.5-11+deb7u1.dsc
 3a338305a020951243344ef27e42f163f52288ea 99569 didiwiki_0.5.orig.tar.gz
 7d59da3465e4ad46ac6c01e7bd5885d647e88ddb 15697 
didiwiki_0.5-11+deb7u1.debian.tar.gz
 2ef918a63bde3484a103c309a80d44ab00bfbbce 31482 didiwiki_0.5-11+deb7u1_amd64.deb
Checksums-Sha256: 
 68f5f941638b62e2d1bf1ef72ddf5af0124a9297080fbc8527fcbc06269d5c46 1341 
didiwiki_0.5-11+deb7u1.dsc
 31e8e536f5efd7d7d1d5f4e4458b42aa9cd7910acf3da933cb7fa3507cf7f752 99569 
didiwiki_0.5.orig.tar.gz
 b6382c85824c67e583af64b0a2048cbc9e35bb9fb5d672b6a2ee0e054aef77fa 15697 
didiwiki_0.5-11+deb7u1.debian.tar.gz
 f50e59be20f3a2fb7a0963892ea5897989dd4a3989adb4c01b396dbe289db073 31482 
didiwiki_0.5-11+deb7u1_amd64.deb
Files: 
 b88e8e011df187fddc90a3eda9a7c3c0 1341 web optional didiwiki_0.5-11+deb7u1.dsc
 94d5fb06d091804b31658481f23b120f 99569 web optional didiwiki_0.5.orig.tar.gz
 77a87480f00a92816002c57d2d6c6313 15697 web optional 
didiwiki_0.5-11+deb7u1.debian.tar.gz
 e78a1578b4fa057473e6eab07b627bcb 31482 web optional 
didiwiki_0.5-11+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJWyFqUAAoJEBC+iYPz1Z1kJjsIALxwSdh6dNGIziZPFfT/gkRx
NpXxShDyBZGJnS2kdUNYONjMXAPbdsf2T5LNgJPlW79x8h41cJIVrWEb2rYRoJtx
lW267h9OBnOl/VJDzz7cobzp+HU+u4oc/tHDzfefI664yKKpRUHU3UU4RuVwTVao
ycrrPk9dXuL7uk83WFSsxP4cNwrYBWFnX3HDoEjDbgJ/pi+u84uuJNM9R+AUHWcz
ByEicLei//sS0I2i4CmLRYYKGviaLUkxL9KLXV1eGQQqbxZH5NVM09cm5buuyi+1
AAgyyht9NN75iQ9Zxd+4ICKW5kX2CVG3Hu77e+YtFRCgJfkU+57fAVnMqfV355s=
=38XO
-----END PGP SIGNATURE-----

--- End Message ---