On Wed, Jul 23, 2008 at 11:10:58PM +0200, Moritz Naumann wrote: > Hi, > > this is a follow-up on Bug#491917.
The bug report is public and I'm happy for any further comments to be public. I'll be uploading the fixed package tonight and closing this bug. There is (IMHO) no need to use encryption for this matter any longer. > At least until an hour from now, emdebian.org was still vulnerable, and > only Neil's latest patch should now provide a fix for this issue. That patch has been further revised and sync'd to emdebian.org. > Even with the latest patches one may still read files the webserver has > permissions to if said files reside in a directory named 'trunk': That aspect is not a bug. The files in that location are meant to be readable and output to the web. A further enhancement removes the / in the $pkg variable so that '/path/to' becomes 'pathto' as $pkg should only contain a package name, not a path. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
signature.asc
Description: This is a digitally signed message part
