Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
Hi, On Thu, Jan 21, 2010 at 06:56:12AM +0100, Frank Lin PIAT wrote: On Wed, 2010-01-20 at 17:29 -0600, Raphael Geissert wrote: 2010/1/20 Frank Lin PIAT fp...@klabs.be: On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. I've attached a patch for the security update, backporting upstream's security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with urgency = high) Is there any reason why this shouldn't be uploaded to unstable (or the new upstream release even)? or why do you use that version name? Hello, It is intended to be uploaded to unstable. (If you ask this, I suppose I shouldn't have named it +squeeze1) I am alive - just pretty busy :-/ I'll prepare and upload a standard upgrade of python-moin to the new upstream security-bug release 1.9.1, and will target it unstable with urgency high. Does there exist some CVE or similar that we should include? - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
Jonas Smedegaard wrote: On Thu, Jan 21, 2010 at 06:56:12AM +0100, Frank Lin PIAT wrote: On Wed, 2010-01-20 at 17:29 -0600, Raphael Geissert wrote: 2010/1/20 Frank Lin PIAT fp...@klabs.be: On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. I've attached a patch for the security update, backporting upstream's security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with urgency = high) Is there any reason why this shouldn't be uploaded to unstable (or the new upstream release even)? or why do you use that version name? It is intended to be uploaded to unstable. (If you ask this, I suppose I shouldn't have named it +squeeze1) I am alive - just pretty busy :-/ That was one of the possiblities ;-) I'll prepare and upload a standard upgrade of python-moin to the new upstream security-bug release 1.9.1, and will target it unstable with urgency high. I prepared a patch, backporting 1.9.1 security update only. Does there exist some CVE or similar that we should include? See http://security-tracker.debian.org/tracker/TEMP-000-01 (and my comments in the BR). Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
2010/1/21 Frank Lin PIAT fp...@klabs.be: Jonas Smedegaard wrote: On Thu, Jan 21, 2010 at 06:56:12AM +0100, Frank Lin PIAT wrote: It is intended to be uploaded to unstable. (If you ask this, I suppose I shouldn't have named it +squeeze1) It's just that I don't see any reason to do that. The codename is usually appended only when making an upload targeted to that release. I am alive - just pretty busy :-/ That was one of the possiblities ;-) I'll prepare and upload a standard upgrade of python-moin to the new upstream security-bug release 1.9.1, and will target it unstable with urgency high. I prepared a patch, backporting 1.9.1 security update only. I think this should be decided within your team :) Does there exist some CVE or similar that we should include? No, there isn't. I've just requested one. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: Tags: security fixed-upstream The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. I've attached a patch for the security update, backporting upstream's security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with urgency = high) Can someone review and upload it please (Jonas doesn't seems to be available at this time). Thanks Franklin commit d68e87883a427fc6162603d7af944307c8bec63e Author: Frank Lin PIAT fp...@klabs.be Date: Wed Jan 20 21:56:38 2010 +0100 1.9.0-1+squeeze1 diff --git a/debian/changelog b/debian/changelog index 97459db..300b491 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +moin (1.9.0-1+squeeze1) unstable; urgency=high + + * Non-maintainer upload. + * Fix sys.argv security issue in moin.cgi (and other *cgi variants. This +is a backport from upstream 1.9.1) Closes: bug#565854 + + -- Frank Lin PIAT fp...@klabs.be Wed, 20 Jan 2010 21:56:58 +0100 + moin (1.9.0-1) unstable; urgency=low * New upstream release diff --git a/debian/patches/fix_sys.argv_issue_1of2.patch b/debian/patches/fix_sys.argv_issue_1of2.patch new file mode 100644 index 000..f9198df --- /dev/null +++ b/debian/patches/fix_sys.argv_issue_1of2.patch @@ -0,0 +1,17 @@ +Fix sys.argv issue 1/2 +Backport of upstream 1.9.1 security issue +(commit http://hg.moinmo.in/moin/1.9/rev/04afdde50094) +Author: Thomas Waldmann tw-pub...@gmx.de +diff -r 93fbb0418225 -r 04afdde50094 wiki/server/moin.cgi +--- a/wiki/server/moin.cgi Mon Jan 18 13:46:32 2010 +0100 b/wiki/server/moin.cgi Mon Jan 18 22:28:57 2010 +0100 +@@ -34,6 +34,9 @@ + # this works around a bug in flup's CGI autodetection (as of flup 1.0.1): + os.environ['FCGI_FORCE_CGI'] = 'Y' # 'Y' for (slow) CGI, 'N' for FCGI + ++if 'GATEWAY_INTERFACE' in os.environ: ++sys.argv = [] ++ + from MoinMoin.web.flup_frontend import CGIFrontEnd + CGIFrontEnd().run() + diff --git a/debian/patches/fix_sys.argv_issue_2of2.patch b/debian/patches/fix_sys.argv_issue_2of2.patch new file mode 100644 index 000..feef243 --- /dev/null +++ b/debian/patches/fix_sys.argv_issue_2of2.patch @@ -0,0 +1,44 @@ +Fix sys.argv issue 2/2 (move sys.argv fix to better place) +Backport of upstream 1.9.1 security issue +(commit http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2 ) +Author: Thomas Waldmann tw-pub...@gmx.de +diff -r 44c165260367 -r 9d8e7ce3c3a2 MoinMoin/web/flup_frontend.py +--- a/MoinMoin/web/flup_frontend.pyMon Jan 18 22:40:49 2010 +0100 b/MoinMoin/web/flup_frontend.pyMon Jan 18 23:05:58 2010 +0100 +@@ -129,6 +129,11 @@ + if have_singlepatch: + server_types['single'] = 'flup.server.fcgi_single' + ++def run(self, args=None): ++if 'GATEWAY_INTERFACE' in os.environ: ++sys.argv = [] ++super(CGIFrontEnd, self).run(args) ++ + class SCGIFrontEnd(FlupFrontEnd): + server_types = {'threaded': 'flup.server.scgi', + 'forking': 'flup.server.scgi_fork'} +@@ -144,6 +149,11 @@ + support is available.) + super(CGIFrontEnd, self).__init__() + ++def run(self, args=None): ++if 'GATEWAY_INTERFACE' in os.environ: ++sys.argv = [] ++super(CGIFrontEnd, self).run(args) ++ + def run_server(self, application, options): + from MoinMoin.web._fallback_cgi import WSGIServer + return WSGIServer(application).run() +diff -r 44c165260367 -r 9d8e7ce3c3a2 wiki/server/moin.cgi +--- a/wiki/server/moin.cgi Mon Jan 18 22:40:49 2010 +0100 b/wiki/server/moin.cgi Mon Jan 18 23:05:58 2010 +0100 +@@ -34,9 +34,6 @@ + # this works around a bug in flup's CGI autodetection (as of flup 1.0.1): + os.environ['FCGI_FORCE_CGI'] = 'Y' # 'Y' for (slow) CGI, 'N' for FCGI + +-if 'GATEWAY_INTERFACE' in os.environ: +-sys.argv = [] +- + from MoinMoin.web.flup_frontend import CGIFrontEnd + CGIFrontEnd().run() + diff --git a/debian/patches/series b/debian/patches/series index fa0e1b8..7069d41 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,5 @@ hardcode_configdir.patch disable_gui_editor_if_fckeditor_missing.patch htdocs_moved_to_usr_share_moin.patch use_systemwide_libs.patch +fix_sys.argv_issue_1of2.patch +fix_sys.argv_issue_2of2.patch
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
2010/1/20 Frank Lin PIAT fp...@klabs.be: On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: Tags: security fixed-upstream The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. I've attached a patch for the security update, backporting upstream's security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with urgency = high) Can someone review and upload it please (Jonas doesn't seems to be available at this time). Is there any reason why this shouldn't be uploaded to unstable (or the new upstream release even)? or why do you use that version name? Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
On Wed, 2010-01-20 at 17:29 -0600, Raphael Geissert wrote: 2010/1/20 Frank Lin PIAT fp...@klabs.be: On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. I've attached a patch for the security update, backporting upstream's security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with urgency = high) Is there any reason why this shouldn't be uploaded to unstable (or the new upstream release even)? or why do you use that version name? Hello, It is intended to be uploaded to unstable. (If you ask this, I suppose I shouldn't have named it +squeeze1) Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. BTW: Please keep the xappy stuff included, as long as you don't provide the python-xappy package (#558715, #559979). Upstream said[1]: If you want to use xapian, please apply this patch[2] or use the updated MoinMoin/util/Subprocess.py[3]. [1] http://moinmo.in/4ct10n/diff/MoinMoinDownload?action=diffrev1=344rev2=345 [2] http://hg.moinmo.in/moin/1.9/rev/3e6b8234861c [3] http://hg.moinmo.in/moin/1.9/raw-file/3e6b8234861c/MoinMoin/util/SubProcess.py -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565854: python-moinmoin: moin-1.9.1 fixes a security issue
Package: python-moinmoin Version: 1.9.0-1 Severity: normal Tags: security fixed-upstream The MoinMoin developers have released moin-1.9.1. This release fixes a security issue¹. It provides also a lot small bug fixes. BTW: Please keep the xappy stuff included, as long as you don't provide the python-xappy package (#558715, #559979). Regards, Pascal -- 1 = http://hg.moinmo.in/moin/1.9/raw-file/1.9.1/docs/CHANGES -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-moinmoin depends on: ii python 2.5.4-5 An interactive high-level object-o ii python-parsedatetime0.8.7-1 Python module to parse human-reada ii python-pygments 1.2.2+dfsg-1 syntax highlighting package writte ii python-support 1.0.6automated rebuilding support for P ii python-werkzeug 0.5.1-1 collection of utilities for WSGI a Versions of packages python-moinmoin recommends: pn fckeditor none (no description available) ii postfix [mail-transport-agent 2.6.5-3High-performance mail transport ag ii python-xapian 1.0.17-1 Xapian search engine interface for ii python-xappy 0.5-1 easy-to-use interface to the Xapia Versions of packages python-moinmoin suggests: pn antiword none (no description available) ii apache2 2.2.14-5 Apache HTTP Server metapackage ii apache2-mpm-worker [httpd 2.2.14-5 Apache HTTP Server - high speed th pn catdocnone (no description available) pn docbook-dsssl none (no description available) ii miscfiles [wordlist] 1.4.2.dfsg.1-9 Dictionaries and other interesting ii poppler-utils [xpdf-utils 0.12.2-2 PDF utilitites (based on libpopple pn python-4suite-xml none (no description available) ii python-docutils 0.6-3 utilities for the documentation of pn python-flup none (no description available) pn python-gdchartnone (no description available) pn python-ldap none (no description available) ii python-mysqldb1.2.2-10 A Python interface to MySQL pn python-openid none (no description available) pn python-pyxmpp none (no description available) ii python-tz 2009u-1Python version of the Olson timezo pn python-xmlnone (no description available) pn smbfs none (no description available) ii wamerican-huge [wordlist] 6-3American English dictionary words ii wngerman [wordlist] 20091006-3 New German orthography wordlist -- no debconf information -- debsums errors found: debsums: changed file /usr/share/pyshared/MoinMoin/parser/highlight.py (from python-moinmoin package) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org