...@home.org.au | olivier.ber...@it-sudparis.eu
Sven
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on
Olivier Berger wrote:
On Sat, Dec 27, 2008 at 09:22:58AM +0100
Sadly, the upstream fix doesn't address the root cause of the url
parameter problem (and we've reported to them at least one exploit that
is unfixed by their patch), and I'm working on the Foswiki fork of
twiki, which is addressing the security issues we know about in what I
consider a more
This is a pretty worrying 'fix'. The Foswiki guys analysed the
situation, and felt that changing URLPARAM as twiki did was not
addressing the issue at all (and I agree). What they did was to change
the code to default to a safe encoding, and to then allow the user to
optionally request different
oh crepe.
I thought we'd dealt with this already, but i was wrong.
looking into it - 4.1.2-5 here we come.
Sven
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL
I have uploaded an updated 4.1.2-5 with this and a few other things fixed.
I've emailed Ardo asking for sponsorship, but if he's not around, would
appreciate assistance :)
Sven
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key
Extraction
ii perl-modules [libnet-pe 5.8.8-7etch3 Core Perl modules
ii rcs 5.7-18 The GNU Revision Control System
twiki recommends no packages.
-- debconf information excluded
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing
.
Mys 2 cents,
Best regards.
The following may be helpful :
http://home.org.au/cgi-bin/view/Blog/BlogEntry2007x04x03x01x23
I didn't test it myself though.
Hope this helps,
Best regards,
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
ah, thanks :)
do I need to find and contact (and bribe with beer?) someone to
'convince release-manager'?
Sven
Vincent Bernat wrote:
OoO En ce début d'après-midi ensoleillé du dimanche 24 août 2008, vers
15:33, Sven Dowideit [EMAIL PROTECTED] disait :
I've finally placed a new twiki
upload it for me so it can go into Lenny?
Sven
Vincent Bernat wrote:
OoO Pendant le temps de midi du samedi 16 août 2008, vers 12:36, Sven
Dowideit [EMAIL PROTECTED] disait :
frustratingly, I'm not a DD
and Worse. I have an emergency update to TWiki for a security issue that
needs
://lists.debian.org/debian-devel/2008/08/msg00340.html
Feel free to comment anyway ;)
Best regards,
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven
similar to the change I have just coded and tested :)
thanks
Dmitry E. Oboukhov wrote:
tags 494648 patch
thanks
Hi, Sven
see my patch, please
--
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ardo, Christian ..
I've just put an updated version of the twiki package at
http://distributedinformation.com/TWikiDebian/
that fixes both the security flaw Dmitry found, and a few other bad
oddities.
Could one of you by any chance take a look at
:)
Sven
Olivier Berger wrote:
Hi.
Haven't had a chance to look at the updated package yet (will try
today), but I think it may be better to acknowledge previous NMUs
explicitely in the changelog.
Hope this helps,
Best regards,
Le jeudi 14 août 2008 à 19:03 +1000, Sven Dowideit
, including pollution the
perl lib dirs) so that TWiki people stop being totally confused by the
setup :/
Sven
Nico Golde wrote:
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2008-08-13 11:05]:
I'd need a second opinion on this report please.
My recollection was that we squashed this in Bug#444982
for the version that is going into
lenny - I'll close it as soon as i can find the docco for howto do that :/
Sven
Steve Kemp wrote:
On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
I will have to assume that this report is indeed incorrect unless I hear
otherwise.
On my
the hell out of them.
Nico Golde wrote:
Hi Olivier,
* Olivier Berger [EMAIL PROTECTED] [2008-08-13 12:53]:
Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
[...]
I'm hoping for the next release that I can move everything into
/var/twiki (rather than scattered around the fs
Nico's point
wrt to filling /var
Sven
Olivier Berger wrote:
Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
Nico,
/var/run - I'll keep that in mind for post lenny - I was really hoping
that debian had a place for this sort of session data, but didn't manage
to get
no, its got nothing to do with /var/lib/twiki/data etc, its the location
for session data - produced by CGI::Session etc.
Olivier Berger wrote:
Le mercredi 13 août 2008 à 11:12 +0100, Steve Kemp a écrit :
On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
I know that I can coerce
so Dmitry,
if you were trying to actually help get this fixed, I presume you would
have suggested that I just patch the code to
rm /tmp/twiki
and then create it?
or what are you actually suggesting?
Sven
Dmitry E. Oboukhov wrote:
Where?
$curl
these are _WEB_ session files.
there are no user directories.
Dmitry E. Oboukhov wrote:
SD so Dmitry,
SD if you were trying to actually help get this fixed, I presume you would
SD have suggested that I just patch the code to
SD rm /tmp/twiki
SD and then create it?
SD or what are you
So are you suggesting that I instead fill up /tmp directly with
thousands of cgisess_123412 files?
because the location that those files go into needs to be predictable -
so that each cgi script goes to the same place.
Julien Cristau wrote:
On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven
No, I was told by Nico or Joey that web apps should not be filling up
the /var filesystem with session files.
this is apparently also _not_ a solution.
/tmp was determined in October 2007 as the best place
Dmitry E. Oboukhov wrote:
On 00:17 Thu 14 Aug , Sven Dowideit wrote:
SD
Yes, you should not share CGI::Session files, it does lead to leakage,
and really odd side effects.
Olivier Berger wrote:
Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit :
On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote:
so Dmitry,
if you were trying to actually
Dmitry E. Oboukhov wrote:
On 00:38 Thu 14 Aug , Sven Dowideit wrote:
SD No, I was told by Nico or Joey that web apps should not be filling up
SD the /var filesystem with session files.
SD this is apparently also _not_ a solution.
SD /tmp was determined in October 2007 as the best
how would this would be different from ?
Debian Bug report logs - #468159
twiki: Redirect after Template Login failes
Olivier Berger wrote:
On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote:
the best irony of this bug, is :
I've implemented Joey's suggestion of 1777 O_EXCL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guys,
I'd need a second opinion on this report please.
My recollection was that we squashed this in Bug#444982
If not, is there any chance that automated tool users are at least
required to help out with a bit more information that the alarmist
ah, good find.
Ardo and Christian,
If I make an update to the 4.1.2 package, fixing this, and a couple of
other issues that I've been told about in the next 48 days, would one of
you be willing to upload it for me so it gets into Lenny?
Sven
Dmitry E. Oboukhov wrote:
Package: twiki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was hoping to have time for this today, but it seems not to be.
I would suggest using 'TWiki Configure User Password' and setting the
configure save pwd to the same thing. (and making the username for it
'admin')
That way it will not need to
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue. no-one on the security team suggested it was
either, leading me to believe that we had a consensus.
Sven
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags:
Also, the patch was found, by you to be defective. So I was expecting to
see another round.
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole
In current state of the Debian package, if nothing is changed manually to the
+1000, Sven Dowideit a écrit :
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue.
OK, here I strongly disagree.
You say you don't see as a major issue that anyone on the Internet can
access and change a TWiki instance's configuration
is this a bug in the debian pakage? If it is a general twiki bug, could
you report it in the upstream bug tracking system??
http://develop.twiki.org.
Cheers
Sven
Olivier Berger wrote:
Package: twiki
Version: 1:4.0.5-9.1
Severity: normal
Whenever accessing a topic (view) with a malformed
to
filling /var
and fixed a few other bitzers
I've reported the issue upstream so we can look at doing a more lasting change
for the next release.
Sven
On Fri, 2007-10-26 at 16:57 +1000, Sven Dowideit wrote:
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
Sven
On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote:
Sven Dowideit wrote:
neat summary Joey :)
The reason that I made it world writeable
files which have their
own uniqued filename.
and so, I think you are in error, and need to read the code a little
before you make assertions like this.
Sven
On Sun, 2007-10-21 at 12:26 +0200, Nico Golde wrote:
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2007-10-21 11:57]:
ok, following
explaining, but rather continue explaining in a
friendly way.
Sven, please ignore Nicos tone and have a look at
http://en.wikipedia.org/wiki/Symlink_race :-)
Thanks regards happy hacking,
Holger
--
Professional Wiki Innovation and Support
Sven Dowideit - http
security is a crock :(
Do you have any suggestions (other than re-writing TWiki?) or should I
just disable that funcionality and run away?
Sven
On Tue, 2007-10-23 at 16:45 -0400, Joey Hess wrote:
Sven Dowideit wrote:
the working/tmp dir is used for rcs tmp files, and twiki session files
in this.
Sven,
This is not good. Let's never do this again.
Thanks,
Ardo
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe
.)
I also wasn't aware of you being involved in this.
Sven,
This is not good. Let's never do this again.
Thanks,
Ardo
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE
I thought that Debian was supposed to be so close to releasing Etch that
I shouldn't change upstream versions so dramatically?
Sven
On Sun, 2007-03-11 at 09:12 +0100, Michael Biebl wrote:
Package: twiki
Severity: wishlist
Hi,
please consider packaging the latest version, which is 4.1.2
think)
Sven
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
. As usual, it comes with an offer
to NMU the package.
Regards, Frank
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
I've made a new version of the package (that fixes this, and other
issues), and its waiting in my sponsor's queue
http://members.iinet.net.au/~spos/twiki_4.0.5-9_all.deb
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email
Package: twiki
Version: 1:4.0.5-7
I expect to look into this on the weekend
Sven
On Thu, 2007-02-08 at 09:31 -0800, Peter Thoeny wrote:
This is a security advisory for TWiki installations:
Local users may cause TWiki to execute arbitrary code
by creating CGI session files.
*
yes, TWiki does not run without a dataset.
if you don't use the sample topic set, the presumption is that you
are either upgrading, re-installing, or using your own.
Luca, can you suggest a better wording for the user prompt?
Cheers
Sven
(ps, I'm without computer for the next 3 weeks)
I think these are settings that are still set on the
TWiki.TWikiPreferences or Main.TWikiPreferences topic, not via
configure.
Basically, only settings that are accessible via the configure
interface, are gotten from LocalSite.cfg.
its an interesting suggestion for upstream - you could
heck y,
sorry, blindness causes bad side-effects :(
mind you, I personally wish debian would see the light, and create a
webserver-cgi pseudopackage, with a universal configuration builder
that way little packages like twiki would not have dependancies on
_any_ particular versions...
i can.
Sven
On 04/11/2006, at 3:52 AM, Antony Gelberg wrote:
I haven't cc'd the bug 367973 that this comes from - Steve if you
want the background please see http://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=367973 and http://bugs.debian.org/twiki.
Sven Dowideit:
its stuff like
its stuff like this that just keeps depressing me into not finishing the
work i do packaging twiki for debian.
your officiousness is a joy, ta.
same sort of thing as when just before the last debian release came out,
and some one helpfully filed an un-reproducible RC bug, that didn't
happen for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/usr/lib/cgi-bin/nagios/grouplist.cgi is not a twiki script
Sven
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I implemented the .mailnotify suggestion in (20030201-3) - but i've been
reluctant to create a crontab magically
Sven
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
to anything at all and be riddled with security holes.
micah
Sven Dowideit wrote:
excellent.
Micah, did you manage to reproduce this in the debian package at all?
you see, the debian package is significantly more secure than the
upstream version, and as you've marked it as grave, I presume
and this bug report can be closed?
Micah
Sven Dowideit wrote:
while I think its very reasonable for you to send along these
advisories, and even doing so as a BTS bug wothout testing them
I think its incredibly rude to do so without saying that you have not
tested it out.
please, if you enter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
excellent.
Micah, did you manage to reproduce this in the debian package at all?
you see, the debian package is significantly more secure than the
upstream version, and as you've marked it as grave, I presume that you
have found a way to make it
Isn't this already fixed in the latest version og the package? (20040902-3)
twiki (20040902-2) unstable; urgency=emergency
.
* removed Text::Diff, added depends libtext-diff-perl (Closes #29522)
* set twikiLibPath to /usr/share/perl5 in setlib.cfg (Closes #296461)
* applied
giorno sab, 07-05-2005 alle 19:22 +1000, Sven Dowideit ha scritto:
While I'd agree that this is pretty grave really, I can't reproduce
this.
is there any more info that you can give me?
are you able to create / edit topics, add an attachement to a new topic,
or anything like this?
I
I'm sorry, but I cannot re-produce this. and when testing your suggested
change, I get other errors in my log.
is there any more information you can give me?
(what topics, what kind of changes, which particular diffs link)
Sven
On Mon, 2005-05-02 at 07:01 -0400, [EMAIL PROTECTED] wrote:
While I'd agree that this is pretty grave really, I can't reproduce
this.
is there any more info that you can give me?
are you able to create / edit topics, add an attachement to a new topic,
or anything like this?
Sven
On Fri, 2005-04-22 at 11:09 +0200, Andrea Ceccanti wrote:
Package: twiki
as the original writer of the topic upgrading part of UpgradeTWiki
(though mine was really just a test / proof of concept) I would agree,
that right now, it would be best not to use the debian package on a
large complex twiki config - I'm intending it to become better, and am
working on
Frank,
i don't think gnusave is part of the twiki package.
are you fixing bugs in the gnu skin? in which case they need (at least
for now) to be reported and fixed upstream
Sven
On Wed, 2005-02-16 at 15:49 +0800, Frank Horowitz wrote:
Package: twiki
Version: 20040902-1
Severity: important
Package: twiki
Version: 20030201-6
you should be able to unpack plugins in /var/lib/twiki
This has been working for me with version 20030201-6 on Sarge (testing).
I think the way to best match what other Debian packages do would be to
have TWiki look in /usr/local for locally-installed
62 matches
Mail list logo