Your message dated Sat, 20 Feb 2016 18:47:12 +0000 with message-id <e1axcyi-0007ey...@franck.debian.org> and subject line Bug#815111: fixed in didiwiki 0.5-11+deb8u1 has caused the Debian Bug report #815111, regarding didiwiki: CVE-2013-7448: path traversal vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 815111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815111 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: didiwiki Version: 0.5-11 Tags: patch + pending Severity: critical A user has privately sent me a security patch for the didiwiki package, that I maintain. The current installation allows any of the system's the user to access any file on the filesystem. To reproduce it: ---- apt-get install didiwiki curl http://localhost:8000/api/page/get?page=/etc/passwd ---- A patch was also provided by Alexander Izmailov, and will be applied in the upcoming update. Thank you for that! A CVE request has been requested. The Debian security team has been notified too. A version correcting this error will be uploaded soon. Ignace M
--- End Message ---
--- Begin Message ---Source: didiwiki Source-Version: 0.5-11+deb8u1 We believe that the bug you reported is fixed in the latest version of didiwiki, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 815...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastien Delafond <s...@debian.org> (supplier of updated didiwiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 19 Feb 2016 15:30:23 +0100 Source: didiwiki Binary: didiwiki Architecture: source amd64 Version: 0.5-11+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Ignace Mouzannar <mouzan...@gmail.com> Changed-By: Sebastien Delafond <s...@debian.org> Description: didiwiki - simple wiki implementation with built-in webserver Closes: 815111 Changes: didiwiki (0.5-11+deb8u1) jessie-security; urgency=high . * NMU by the Security Team; thanks to Ignace Mouzannar <mouzan...@gmail.com> and Alexander Izmailov <yaro...@gmail.com> for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) Checksums-Sha1: 0568205889f92d19b960bd47f6549e32a4786b91 1323 didiwiki_0.5-11+deb8u1.dsc 9fdb7908001da1fe0278f1e3f3f33512f51c2af6 13796 didiwiki_0.5-11+deb8u1.debian.tar.xz d5b609a383c94e88fb37dc036e1784bc24ae8ade 27974 didiwiki_0.5-11+deb8u1_amd64.deb Checksums-Sha256: fe31a01a42b6a06c3b4d062e1af711b7df2a4926bc2b11d580b3a0b17f5f6080 1323 didiwiki_0.5-11+deb8u1.dsc 10c600905e48aa52fb3cd2353842ba696cb824b4a95aaf0d860babdf769bc4da 13796 didiwiki_0.5-11+deb8u1.debian.tar.xz b8eeb0b361468da15b3cc80f5aede99371e10d7f1a7409d90852e9f7f5ecdd06 27974 didiwiki_0.5-11+deb8u1_amd64.deb Files: 3250ab30fe73d43050e4f8e1c1c8ff81 1323 web optional didiwiki_0.5-11+deb8u1.dsc 8c0c56e244294648e64fb45c6a689fe9 13796 web optional didiwiki_0.5-11+deb8u1.debian.tar.xz b32c0158c1d8f145bd0b9ad1387f1d5d 27974 web optional didiwiki_0.5-11+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJWyFsHAAoJEBC+iYPz1Z1kF8cH/3Et3r2bqlV8RoVqNuJT66ox GVp7OkSQW1JhqOtK8ct6qyb6mTIXLlyrPlFVIE9Jg7LWPQFEFRrS9eqtVmSLG8yb /Jkq5mJZCmw50e12GbHoat3vxONAmP+BGwBdkFu/iv8LtZJMsq7IboVHjjGJC8K+ beTI58Yc5PvFHrmjZpZ+b4B3SwwRSOfmS59x8DmBMQCa/Np3twYfaIs1ZaTopKbt TvsFPL2y/DXCMlYxUW8ZsQJEE8RDzb7umVGsGQBnuzrh3/+339okLV9XJMGekUAa vqfYpG1OiZC6Yqrg/v14/f8t5snelJBVQaBaEi97MkX2QgeW0s6x7RAIBaJZoao= =TFd/ -----END PGP SIGNATURE-----
--- End Message ---
