Your message dated Mon, 22 Feb 2016 19:20:33 +0000 with message-id <e1axw25-0001ur...@franck.debian.org> and subject line Bug#815111: fixed in didiwiki 0.5-9+deb6u1 has caused the Debian Bug report #815111, regarding didiwiki: CVE-2013-7448: path traversal vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 815111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815111 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: didiwiki Version: 0.5-11 Tags: patch + pending Severity: critical A user has privately sent me a security patch for the didiwiki package, that I maintain. The current installation allows any of the system's the user to access any file on the filesystem. To reproduce it: ---- apt-get install didiwiki curl http://localhost:8000/api/page/get?page=/etc/passwd ---- A patch was also provided by Alexander Izmailov, and will be applied in the upcoming update. Thank you for that! A CVE request has been requested. The Debian security team has been notified too. A version correcting this error will be uploaded soon. Ignace M
--- End Message ---
--- Begin Message ---Source: didiwiki Source-Version: 0.5-9+deb6u1 We believe that the bug you reported is fixed in the latest version of didiwiki, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 815...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Alteholz <deb...@alteholz.de> (supplier of updated didiwiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 22 Feb 2016 18:03:02 +0100 Source: didiwiki Binary: didiwiki Architecture: source i386 Version: 0.5-9+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Ignace Mouzannar <mouzan...@gmail.com> Changed-By: Thorsten Alteholz <deb...@alteholz.de> Description: didiwiki - simple wiki implementation with built-in webserver Closes: 815111 Changes: didiwiki (0.5-9+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * thanks to Ignace Mouzannar <mouzan...@gmail.com> and Alexander Izmailov <yaro...@gmail.com> for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) Checksums-Sha1: fafb993a57a6004820fa2d83aa57d76752ba66f8 1736 didiwiki_0.5-9+deb6u1.dsc 3a338305a020951243344ef27e42f163f52288ea 99569 didiwiki_0.5.orig.tar.gz fa84e88426a615bae201ef42ad95d306033708f9 13906 didiwiki_0.5-9+deb6u1.diff.gz fdcd0d303fb4ce0dcdc6e99b4363da01a9cf55b7 27944 didiwiki_0.5-9+deb6u1_i386.deb Checksums-Sha256: db6de87eabd2b964017ea6454916472efd907c59fa7f7476a910c81b7e0904c7 1736 didiwiki_0.5-9+deb6u1.dsc 31e8e536f5efd7d7d1d5f4e4458b42aa9cd7910acf3da933cb7fa3507cf7f752 99569 didiwiki_0.5.orig.tar.gz 1ad9700c68cb2e259af44709c58e527966881895a666346114a2fbb9fd4d2c5f 13906 didiwiki_0.5-9+deb6u1.diff.gz decf9eed83524dd7c5fa7d700bc0a3bf4666b1e9a70d2a49eaf0139b7f47bea6 27944 didiwiki_0.5-9+deb6u1_i386.deb Files: 0d262bc55a4453c81db852de0b964d30 1736 web optional didiwiki_0.5-9+deb6u1.dsc 94d5fb06d091804b31658481f23b120f 99569 web optional didiwiki_0.5.orig.tar.gz 163ee0c540346a710138775f6ab2e3de 13906 web optional didiwiki_0.5-9+deb6u1.diff.gz e8016ca2e612247392ff5d152ee48525 27944 web optional didiwiki_0.5-9+deb6u1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJWy1oUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHA/MP/iZhRQ2iNDvg9vmYf1m0AgBD bvfq3tR8sj4+B7PLXnDFYAKk3kGTWfpLLJMg0zBKPNX2EF+RGhYkvJy8NOOaThl/ +qHYQKkSvUHrZ3WBUPv9oxtfaZVJQ3RQDFC1YUajtRKZ2vJKZqOgw7gjQlY8wAac K+kup532wnybq0MfaNKik+Z+lYKKTl+K327SG7N4M2NPgvw/HL5KxkS+eyDG/CLp Xt7H7M4WSetREHqeUL/GG+6ljMA/NEks43+6sPUaCveoYwqQ9+LDkFPJvuLvVJP4 TQLgscFCV/YX30Y32w+VZG+EfQoxQYokrtsC1LG3jnM9G9GafmUSROJ7VZxv505C YopxUsT9rZKhiLu2hYbpD2VNR8OciGWri7Qjhr4YGGOWPZFHZTBTWVjPOurJCeQ8 9aNwpBRXta8B69O3EjjFlCtg18dH1bFr2NpD1AUfRFhjqfXCuWceMewcbbf7H+/9 ySKXBtsdcJSDSo68i7R/mSZdF3AG/STHZMmCvq16w31pDB4q9uMPvt7L6ziakFg2 tkGNkA9hlaQrrLyUTFTd42dkgVsFQh4ovQitFwTj28jF7h8LnvNTsJaZRAJnEBwH cr4ESIwldeOduagCF4OllL8VfhdtZ/NpRClEWxy2xbrhPEcPif9QLZ/bVRM47VY0 5/JAIfzSXbmuatOsw6hN =9omm -----END PGP SIGNATURE-----
--- End Message ---
