Your message dated Mon, 25 Aug 2008 17:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#494648: fixed in twiki 1:4.1.2-4
has caused the Debian Bug report #494648,
regarding The possibility of attack with the help of symlinks in some Debian 
packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
494648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: twiki
Severity: grave
Tags: security

This message about the error concerns a few packages  at  once.   I've
tested all the packages on my Debian mirror.  (post|pre)(inst|rm)  and
config scripts were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
file.

I set Severity into grave for  this  bug.   The  table  of  discovered
problems is below.

+------------------+-----------------+----------------------------------
|    package       |  script         | file for attack
+------------------+-----------------+----------------------------------
| mplayer-1.0~rc2  |  config         | /tmp/HACK (pipe)
|                  |                 |
| nws-2.13         |  postinst       | /tmp/nws.debug (cp)
|                  |                 |
| ppp-2.4.4rel     |  postinst       | /tmp/probe-finished (rm -f, pipe)
|                  |  postinst       | /tmp/ppp-errors (rm -f, pipe)
|   ppp-udeb       |  /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
|                  |                 |
| twiki-4.1.2      |  postinst       | /tmp/twiki  (chmod 1777, chown)
+------------------+-----------------+----------------------------------



--- End Message ---
--- Begin Message ---
Source: twiki
Source-Version: 1:4.1.2-4

We believe that the bug you reported is fixed in the latest version of
twiki, which is due to be installed in the Debian FTP archive:

twiki_4.1.2-4.diff.gz
  to pool/main/t/twiki/twiki_4.1.2-4.diff.gz
twiki_4.1.2-4.dsc
  to pool/main/t/twiki/twiki_4.1.2-4.dsc
twiki_4.1.2-4_all.deb
  to pool/main/t/twiki/twiki_4.1.2-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Dowideit <[EMAIL PROTECTED]> (supplier of updated twiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Aug 2008 09:53:40 +0100
Source: twiki
Binary: twiki
Architecture: source all
Version: 1:4.1.2-4
Distribution: unstable
Urgency: emergency
Maintainer: Sven Dowideit <[EMAIL PROTECTED]>
Changed-By: Sven Dowideit <[EMAIL PROTECTED]>
Description: 
 twiki      - A Web Based Collaboration Platform
Closes: 468159 482285 494648
Changes: 
 twiki (1:4.1.2-4) unstable; urgency=emergency
 .
   * move session files to /var/lib/twiki/working/tmp (Closes: #494648)
   * related issue with passthrough files (Closes: #468159)
   * fix dependancys on apache* rather than apache*-common (Closes: #482285)
   * remove TWikiGuest user with hardcoded password from htpassword.
   * Build instructions moved from section -arch to -indep (closes lintian 
warning).
Checksums-Sha1: 
 b63766b01abd8f67f13637134663412655928049 964 twiki_4.1.2-4.dsc
 28a267aca3db3b4e6386db49c8432a1c395acb2e 50727 twiki_4.1.2-4.diff.gz
 4d2377a46936db978a21a782f25ee150d4a60289 4680524 twiki_4.1.2-4_all.deb
Checksums-Sha256: 
 1053ca63cb8feefc1bbfcae462fea9b386545a56de5f4839226357508ca8f7ca 964 
twiki_4.1.2-4.dsc
 237273e2742bb0d777963fe0087eda21b3fa98c2cf3ac8634c7f3c97405e0c4f 50727 
twiki_4.1.2-4.diff.gz
 a6eaf1a1541184537ac20ea6fda9fdb457f4087138718deb0aa21920bc27de05 4680524 
twiki_4.1.2-4_all.deb
Files: 
 22d75c238706b929568ec7f94cada47c 964 web optional twiki_4.1.2-4.dsc
 0bbfcd5895377f9e299070e63da46475 50727 web optional twiki_4.1.2-4.diff.gz
 5cf4f94b9627af6a54f3951e6e0fb2b5 4680524 web optional twiki_4.1.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiy4ykACgkQKFvXofIqeU5JugCdGnfVSOoq7I6GRXMwH7bbJaNa
ug0AoME5OHgnLOLfWVJLaLzfdvJ8nMse
=JzdQ
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to