Just for completion:
I just got a short answer from Kari Pahula pointing me to the
corresponding Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724746
Looks like the issue has been already fixed there in the same way I fixed it.
Until now I accidentally that thought Debian
Jonas:
I will send a mail to Kari Pahula, which seems to be maintaining the tntnet
package
for Debian, and point him to this launchpad bug.
Maybe he will give us some insights on why he changed the default configuration
that way, review my changes and either adapt it to fix the tntnet Debian sque
This bug was fixed in the package tntnet - 2.0+dfsg1-2ubuntu0.1
---
tntnet (2.0+dfsg1-2ubuntu0.1) precise-security; urgency=high
* SECURITY UPDATE: Fixed default configuration to prevent exposing
files from /. (LP: #1430750)
-- Christian HertelWed, 11 Mar 2015 16:07:14 +01
Okay, thanks for the comments. Unless someone is willing to prepare a
debdiff with a better fix, I'm going to sponsor the one that Christian
provided.
Christian: for the record, for updates targeted towards a security
pocket, please target RELEASE-security, not just RELEASE. Also, "closes:
#bugnum
Allright, there is probably some reason this was removed in the original
patch. If you don't want to do anything beyond what you've done already,
that's fine by me. I won't fix this because I hate Launchpad with a
passion; I just seem to have subscribed to tntnet bugs here somewhen,
that's why I go
Jonas,
for sure the suggested change is not the perfect solution and without any doubt
there are many better ways to achieve the goal.
Unfortunately I do not have the time to evaluate all possible options, I just
wanted to suggest a change to provide a default configuration (which is as
close t
Sorry, I was unable to find a way to edit my last posting:
> The default configuration in this packages is not xml format and
therefor different to the one where all the patches in the existing >
tntnet source deb package were built on.
I meant the default configuration file (etc/tntnet/tntnet.co
Oh, wait a second. The DocumenRoot was already set in the upstream
.conf.in file, but was removed by the original debian patch! What?? I
would seriously recommend you to find out why it was removed originally,
and restore it. The DocumentRoot setting is specifically made for this
purpose, and prepe
@Jonas:
Upstream seems to be based on the following sources:
http://www.tntnet.org/download/tntnet-2.0.tar.gz
The default configuration in this packages is not xml format and
therefor different to the one where all the patches in the existing
tntnet source deb package were built on.
I chose to a
Thanks for the debdiff. I've subscribed the "ubuntu-security-sponsors"
group for review.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1430750
Title:
Insecure Default Config leads to security issue
That will probably still allow paths like "/../../etc/passwd". That's
why tntnet has the documentRoot setting, which should be available in
tntnet 2.0, but should also already be set in the default configuration:
https://github.com/maekitalo/tntnet/blob/tags/2.0/tntnet/etc/tntnet/tntnet.xml.in#L59
As requested, I have created a debdiff (my first debdiff so far) which
seems to fix this issue in our case.
** Patch added: "tntnet_2.0+dfsg1-2ubuntu1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/tntnet/+bug/1430750/+attachment/4341332/+files/tntnet_2.0%2Bdfsg1-2ubuntu1.debdiff
--
You
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is availabl
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: tntnet (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1430750
Title:
Ins
** Summary changed:
- Insecure Default Config leads to security issue (CVE-2013-7299)
+ Insecure Default Config leads to security issue
** Description changed:
The default configuration file delivered with package tntnet prior to
version 2.2.1 allows unauthenticated remote attackers to obtai
15 matches
Mail list logo
