Your message dated Sun, 5 Nov 2006 22:54:57 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Closing
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: twiki
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-1387: "TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows
remote authenticated users with edit rights to cause a denial of service
(infinite recursion leading to CPU and memory consumption) via INCLUDE
by URL statements that form a loop, such as a page that includes
itself."
TWiki has released an advisory [1] about this issue. The attached patch
implements the recommended hotfix by disabling the INCLUDE directive.
Please mention the CVE number in your changelog.
[1] http://twiki.org/cgi-bin/view/Codev/SecurityAdvisoryDosAttackWithInclude
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbPVoAud/2YgchcQRAo1GAKDqMMBlHNw1XSbqGVYKltk3u3Y0DQCg4x0J
NOk1flpjJOOY93b9DAXvv+U=
=uBTE
-----END PGP SIGNATURE-----
--- lib/TWiki.pm.orig 2006-05-18 23:07:09.000000000 +0100
+++ lib/TWiki.pm 2006-05-18 23:11:46.000000000 +0100
@@ -1921,6 +1921,9 @@
my $user = "";
my $pass = "";
+ # CVE-2006-1387
+ return "%RED% Include of URL is disabled %ENDCOLOR%";
+
# For speed, read file directly if URL matches an attachment directory
if( $theUrl =~ /^$urlHost$pubUrlPath\/([^\/\.]+)\/([^\/\.]+)\/([^\/]+)$/ )
{
my $web = $1;
--- End Message ---
--- Begin Message ---
Version: 1:4.0.4-3
This upload closes all these bugs:
twiki (1:4.0.4-3) unstable; urgency=high
* added Hotfix 4 for TWiki 4.0.4
-- Sven Dowideit <[EMAIL PROTECTED]> Fri, 15 Sep 2006 00:00:01 -1000
twiki (1:4.0.4-2) unstable; urgency=high
* added Hotfix 3 for TWiki 4.0.4
includes:
Item 2714 - SECURITY ISSUE! - Topics with ALLOWTOPICVIEW
defined in "Edit Settings" (META) can be read by anyone
with a specially crafted SEARCH.
Item 2806 - Security Alert CVE-2006-4294 - viewfile doesn't
follow rules for mapping attachment names
-- Sven Dowideit <[EMAIL PROTECTED]> Sat, 09 Sep 2006 00:00:01 -1000
twiki (1:4.0.4-1) unstable; urgency=high
* added Hotfix 2 for TWiki 4.0.4
includes (CVE-2006-3819) - Configure robustness update
-- Sven Dowideit <[EMAIL PROTECTED]> Sun, 20 Aug 2006 00:00:01 -1000
twiki (1:4.0.4-0.1) unstable; urgency=high
* new upstream version TWiki-4.0.4
includes prevent script execution of uploaded files (CVE-2006-3336)
(Closes: #381907)
4.0.2 includes CVE-2006-1387: DoS with INCLUDE
(Closes: #367973)
* restricted access to configure script
* added libcgi-session-perl dependency
* stopped failure when /etc/apache-foo/conf.d/twiki.conf_old doesn't
exist
* cleaned up handling of apache reload/restart calls
-- Andrew Moise <[EMAIL PROTECTED]> Fri, 11 Aug 2006 15:05:06 -0400
twiki (1:4.0.1-1) unstable; urgency=high
* new upstream version TWiki-4.0.1
(Closes: #255782, #221514, #338118, #311662, #305793, #345668)
* added brute force restart of apache & apache2 (Closes: #300601)
* fixed regex that was supposed to set WIKIWEBMASTER (Closes: #305034)
* removed data dir from apache.conf (Closes #307928)
* added debconf-2.0 dependancy (Closes: #332129)
* improved RedirectMatch (Closes: #293369)
* updated Czech translation of debconf (Closes: #321818)
* added Vietnamese translation of debconf (Closes: #322398)
* added Swedish translation of debconf (Closes: #341095)
* fixed up debconf spelling mistake (Closes: #322399)
* added dependancy option of apache-perl (Closes: #235603)
* cleaned up index.html (Closes: #228748)
* added extra test for existing data (Closes: #229036)
* added primitive test and use of htpasswd2 for apache2 (Closes: #233943)
* remove use of wwwconfig (Closes: 251340)
-- Sven Dowideit <[EMAIL PROTECTED]> Sun, 26 Feb 2006 00:00:01 -1000
Thanks.
--
ยท''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
--- End Message ---
