Bug#724746: marked as done (tntnet: Default configuration exports whole filesystem via HTTP)

[Debian Bug Tracking System]

Your message dated Sun, 29 Sep 2013 21:17:43 +0000
with message-id <e1vqon5-0003lw...@franck.debian.org>
and subject line Bug#724746: fixed in tntnet 1.6.3-4+deb6u1
has caused the Debian Bug report #724746,
regarding tntnet: Default configuration exports whole filesystem via HTTP
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
724746: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724746
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: tntnet
Version: 2.1-2
Severity: grave

Dear Maintainer,

the default configuration of the tntnet package contains this line:

MapUrl  ^/(.*)$ static@tntnet /$1

This causes the whole filesystem to be exported via HTTP, thus allowing
all files readable by the user www-data on the whole system to be
downloaded via HTTP. For example a GET request to
http://hostname/etc/passwd will return the /etc/passwd file.

The line should be changed like this:

MapUrl  ^/(.*)$ static@tntnet /var/www/$1


-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (1051, 'stable'), (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.4.60 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---

--- Begin Message ---

Source: tntnet
Source-Version: 1.6.3-4+deb6u1

We believe that the bug you reported is fixed in the latest version of
tntnet, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 724...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kari Pahula <k...@debian.org> (supplier of updated tntnet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 29 Sep 2013 20:36:39 +0300
Source: tntnet
Binary: tntnet tntnet-doc tntnet-demos libtntnet8 libtntnet-dev tntnet-runtime
Architecture: source all amd64
Version: 1.6.3-4+deb6u1
Distribution: oldstable
Urgency: high
Maintainer: Kari Pahula <k...@debian.org>
Changed-By: Kari Pahula <k...@debian.org>
Description: 
 libtntnet-dev - Tntnet library development headers
 libtntnet8 - Tntnet libraries
 tntnet     - modular, multithreaded web application server for C++
 tntnet-demos - demo web applications for Tntnet
 tntnet-doc - documentation for Tntnet
 tntnet-runtime - Tntnet runtime system
Closes: 724746
Changes: 
 tntnet (1.6.3-4+deb6u1) oldstable; urgency=high
 .
   * Fix insecure default tntnet.conf.  (Closes: #724746)
Checksums-Sha1: 
 9dd74ecd9bfeba7fde79e3519c1cfcd79dbd5584 1819 tntnet_1.6.3-4+deb6u1.dsc
 0f1336ddb144cc753605af55f5b0ba79a67f4726 8108 tntnet_1.6.3-4+deb6u1.diff.gz
 4299a2b2b1457fbd7ec89640bf59919c22548b38 1377418 
tntnet-doc_1.6.3-4+deb6u1_all.deb
 e0b2cf4f8a1ec62d60c812516a385c3b148a11a0 44884 tntnet_1.6.3-4+deb6u1_amd64.deb
 e19dfb10dcb85d1ef1e870c0dce07a41f161364b 182804 
tntnet-demos_1.6.3-4+deb6u1_amd64.deb
 b5b400ca9811d50f0446299c8a3f53b57eb1cb73 337010 
libtntnet8_1.6.3-4+deb6u1_amd64.deb
 3b168aadeb6c384e12b0b3bf3021fab8efa18633 121430 
libtntnet-dev_1.6.3-4+deb6u1_amd64.deb
 1b017e53e6479aff13b605f5b232e627f03624c7 33462 
tntnet-runtime_1.6.3-4+deb6u1_amd64.deb
Checksums-Sha256: 
 a7ce19cfd672ac038cf04ecf21ea2b8788dcdf43323bd745854dffbe28aa89d6 1819 
tntnet_1.6.3-4+deb6u1.dsc
 afe1199d462e1fb4b336b18d33954f02a542c5d92c6e9ba12fe6d657e9459de0 8108 
tntnet_1.6.3-4+deb6u1.diff.gz
 142daee3d5033ccb778ec3aba20dfa390c8b454a89df41ffb105d680bf80adea 1377418 
tntnet-doc_1.6.3-4+deb6u1_all.deb
 47d4d09e66b7503cb0d425f1afe869cdb4c709fe835f81b0e6d361119ec318e8 44884 
tntnet_1.6.3-4+deb6u1_amd64.deb
 2927f24c78275c5d0bc5290aa9397c4c3f5ef460dae70c86b81e097bd6a80cb9 182804 
tntnet-demos_1.6.3-4+deb6u1_amd64.deb
 d1a049c917bfe354cf239d16317128391c4879b748bb4c7d35102d39e894fb21 337010 
libtntnet8_1.6.3-4+deb6u1_amd64.deb
 bd6e97b137244c2f9fba3e5830dd03af8bc4dd2e7f5fc156a65d4831d3d50ae1 121430 
libtntnet-dev_1.6.3-4+deb6u1_amd64.deb
 dd6843de7bc9601ce7c185b0581b3eec53f03fbc5f0473b07236a9ba18a30651 33462 
tntnet-runtime_1.6.3-4+deb6u1_amd64.deb
Files: 
 99f89c43837dc630cd732636a1b7ce27 1819 web extra tntnet_1.6.3-4+deb6u1.dsc
 72781c1bb176200adcfcef44b5fde592 8108 web extra tntnet_1.6.3-4+deb6u1.diff.gz
 8a47ebb4e1926a7522cbadf713e0f490 1377418 doc extra 
tntnet-doc_1.6.3-4+deb6u1_all.deb
 81542f5d9200e349789723cb5fc353ad 44884 web extra 
tntnet_1.6.3-4+deb6u1_amd64.deb
 0d32fb805905257dfcf068cc3f7fbf8d 182804 doc extra 
tntnet-demos_1.6.3-4+deb6u1_amd64.deb
 f990bb9f6640fd72ffe46f9cc44de841 337010 libs extra 
libtntnet8_1.6.3-4+deb6u1_amd64.deb
 270248757af0ef9d069433d0b7843ca0 121430 libdevel extra 
libtntnet-dev_1.6.3-4+deb6u1_amd64.deb
 5d38d1499b4d048478d531dfda66e1ed 33462 web extra 
tntnet-runtime_1.6.3-4+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCAAGBQJSSGf1AAoJEIQIZ+6djyZclAsP/ifYByXXSXcVJSIzSy8zsl/7
kneg+cHE0ovCgyqInYXY0ZMoQbR3x/OCnAvIng0R5+pYcuqcJI1vxuCYlzAsu+9e
Q+Rbvi0Z5T7GVSgCPbRo6fyVW0HVAwzLLMRXaDOlWAsHwBriOcwHaYikQigWPfuR
rWLKBAIbwkc8xnvVhWeQmZmAaUrpyK+jcrxpRZjBftZvVMgchoDEK8doBDrZtHqZ
OtodKlXlkOkZlX3y7JohS+V6vzr5C0ioFINWN5zbjnYduDCmPL/JpZOFNjNtt4xh
rxN7Fo86i9NoD9WXlEDQylVXv1+R6JZ1wFbD34WyaU5jiiOZ2F+PodTamDej4gok
c72rHU1QBphJO4UqB1n0hfXww3dyC3dEczvVbC6uzk2BdRA2/QW9ETdxMkqHFLGc
TWTYZD6SlI+6tjCnxXLVINnkG2Q16V3n4BltrzRPT9JQCa2Zx6nyicqKUeynUGUH
iZt4Z4q5XKDTknMc2c+QU1gfIkVYyvJOR2CTti1MUfqAaty2Cq9DcGGS3TGOuZQy
o8b0h3nfdgze9ET1duIgdlL5o02IIuIfrp03TlC8EugMluEfs5rEAZQdLxsSDyC/
Bj8C1YwT0YtUlKr1zUq00sl0T4/8R/EMVySwO/zGNUDI5njgYlmGmrXpsrvjo/hx
rL/5MPz3kiVgvb5LvJNn
=w7Gj
-----END PGP SIGNATURE-----

--- End Message ---