dowid...@home.org.au | olivier.ber...@it-sudparis.eu
Sven
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on
Olivier Berger wrote:
> On Sat, Dec 27, 20
Sadly, the upstream fix doesn't address the root cause of the url
parameter problem (and we've reported to them at least one exploit that
is unfixed by their patch), and I'm working on the Foswiki fork of
twiki, which is addressing the security issues we know about in what I
consider a more thoroug
This is a pretty worrying 'fix'. The Foswiki guys analysed the
situation, and felt that changing URLPARAM as twiki did was not
addressing the issue at all (and I agree). What they did was to change
the code to default to a safe encoding, and to then allow the user to
optionally request different ve
I have uploaded an updated 4.1.2-5 with this and a few other things fixed.
I've emailed Ardo asking for sponsorship, but if he's not around, would
appreciate assistance :)
Sven
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe"
oh crepe.
I thought we'd dealt with this already, but i was wrong.
looking into it - 4.1.2-5 here we come.
Sven
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&
i rcs 5.7-18 The GNU Revision Control System
>
> twiki recommends no packages.
>
> -- debconf information excluded
>
--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ld twiki work with mod_perl ?
>>
>> Anyway, that's not consistent, IMHO.
>>
>> Mys 2 cents,
>>
>> Best regards.
>>
>
> The following may be helpful :
> http://home.org.au/cgi-bin/view/Blog/BlogEntry2007x04x03x01x23
>
> I didn't te
ah, thanks :)
do I need to find and contact (and bribe with beer?) someone to
'convince release-manager'?
Sven
Vincent Bernat wrote:
> OoO En ce début d'après-midi ensoleillé du dimanche 24 août 2008, vers
> 15:33, Sven Dowideit <[EMAIL PROTECTED]> disait :
>
someone please upload it for me so it can go into Lenny?
Sven
Vincent Bernat wrote:
> OoO Pendant le temps de midi du samedi 16 août 2008, vers 12:36, Sven
> Dowideit <[EMAIL PROTECTED]> disait :
>
>> frustratingly, I'm not a DD
>> and Worse. I have an emer
, mediawiki,
>> etc. Each attempt to establish a webapps policy seems to be aborted.
>
> That's why I asked for advice on debian-devel@ with no success :(
> http://lists.debian.org/debian-devel/2008/08/msg00340.html
>
> Feel free to comment anyway ;)
>
> Best re
ncy
>> .
>>* squash softlink exploit on session directory (Closes: #494648)
>>* related issue with passthrough files (Closes: #468159)
>>* fix dependancys on apache* rather than apache*-common (Closes:
>> #482285)
>>* remove TWikiGuest use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ardo, Christian ..
I've just put an updated version of the twiki package at
http://distributedinformation.com/TWikiDebian/
that fixes both the security flaw Dmitry found, and a few other bad
oddities.
Could one of you by any chance take a look at i
similar to the change I have just coded and tested :)
thanks
Dmitry E. Oboukhov wrote:
> tags 494648 patch
> thanks
>
> Hi, Sven
>
> see my patch, please
>
> --
>
> . ''`. Dmitry E. Oboukhov
> : :’ : [EMAIL PROTECTED]
> `. `~’ GPGKey: 1024D / F8E26537 2006-11-21
> `- 1B23 D4F8 8EC0 D902 0
how would this would be different from ?
Debian Bug report logs - #468159
twiki: Redirect after Template Login failes
Olivier Berger wrote:
> On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote:
>> the best irony of this bug, is :
>>
>>> I've implemen
Dmitry E. Oboukhov wrote:
> On 00:38 Thu 14 Aug , Sven Dowideit wrote:
> SD> No, I was told by Nico or Joey that web apps should not be filling up
> SD> the /var filesystem with session files.
>
> SD> this is apparently also _not_ a solution.
>
> SD> /tmp
Yes, you should not share CGI::Session files, it does lead to leakage,
and really odd side effects.
Olivier Berger wrote:
> Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit :
>> On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote:
>>
>>> so Dmitry,
&g
No, I was told by Nico or Joey that web apps should not be filling up
the /var filesystem with session files.
this is apparently also _not_ a solution.
/tmp was determined in October 2007 as the best place
Dmitry E. Oboukhov wrote:
> On 00:17 Thu 14 Aug , Sven Dowideit wrote:
> SD&
So are you suggesting that I instead fill up /tmp directly with
thousands of cgisess_123412 files?
because the location that those files go into needs to be predictable -
so that each cgi script goes to the same place.
Julien Cristau wrote:
> On Wed, Aug 13, 2008 at 23:24:47 +1000, S
these are _WEB_ session files.
there are no user directories.
Dmitry E. Oboukhov wrote:
> SD> so Dmitry,
>
> SD> if you were trying to actually help get this fixed, I presume you would
> SD> have suggested that I just patch the code to
>
> SD> rm /tmp/twiki
> SD> and then create it?
>
> SD> o
so Dmitry,
if you were trying to actually help get this fixed, I presume you would
have suggested that I just patch the code to
rm /tmp/twiki
and then create it?
or what are you actually suggesting?
Sven
Dmitry E. Oboukhov wrote:
>
> Where?
>
> $curl
> http://ftp.nl.debian.org/debian/pool/
no, its got nothing to do with /var/lib/twiki/data etc, its the location
for session data - produced by CGI::Session etc.
Olivier Berger wrote:
> Le mercredi 13 août 2008 à 11:12 +0100, Steve Kemp a écrit :
>> On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
>
>>
k to /tmp/twiki, as per Nico's point
wrt to filling /var
Sven
Olivier Berger wrote:
> Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
>> Nico,
>>
>> /var/run - I'll keep that in mind for post lenny - I was really hoping
>> that debian had a
fuses the hell out of them.
Nico Golde wrote:
> Hi Olivier,
> * Olivier Berger <[EMAIL PROTECTED]> [2008-08-13 12:53]:
>> Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
> [...]
>>> I'm hoping for the next release that I can move everything in
t we're ok for the version that is going into
lenny - I'll close it as soon as i can find the docco for howto do that :/
Sven
Steve Kemp wrote:
> On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
>
>> I will have to assume that this report is indeed incorrect unles
d around the fs, including pollution the
perl lib dirs) so that TWiki people stop being totally confused by the
setup :/
Sven
Nico Golde wrote:
> Hi Sven,
> * Sven Dowideit <[EMAIL PROTECTED]> [2008-08-13 11:05]:
>> I'd need a second opinion on this report please.
>>
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guys,
I'd need a second opinion on this report please.
My recollection was that we squashed this in Bug#444982
If not, is there any chance that automated tool users are at least
required to help out with a bit more information that the alarmist text
ah, good find.
Ardo and Christian,
If I make an update to the 4.1.2 package, fixing this, and a couple of
other issues that I've been told about in the next 48 days, would one of
you be willing to upload it for me so it gets into Lenny?
Sven
Dmitry E. Oboukhov wrote:
> Package: twiki
> Severit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was hoping to have time for this today, but it seems not to be.
I would suggest using 'TWiki Configure User & Password' and setting the
configure save pwd to the same thing. (and making the username for it
'admin')
That way it will not need to chan
ote:
Le mardi 10 juin 2008 à 17:39 +1000, Sven Dowideit a écrit :
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue.
OK, here I strongly disagree.
You say you don't see as a "major issue" that any
Also, the patch was found, by you to be defective. So I was expecting to
see another round.
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole
In current state of the Debian package, if nothing is changed manually to the
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue. no-one on the security team suggested it was
either, leading me to believe that we had a consensus.
Sven
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: sec
is this a bug in the debian pakage? If it is a general twiki bug, could
you report it in the upstream bug tracking system??
http://develop.twiki.org.
Cheers
Sven
Olivier Berger wrote:
Package: twiki
Version: 1:4.0.5-9.1
Severity: normal
Whenever accessing a topic (view) with a malformed URL
as per Nico's point wrt to
filling /var
and fixed a few other bitzers
I've reported the issue upstream so we can look at doing a more lasting change
for the next release.
Sven
On Fri, 2007-10-26 at 16:57 +1000, Sven Dowideit wrote:
> ok, I'll implement this on the w/e, a
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
Sven
On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote:
> Sven Dowideit wrote:
> > neat summary Joey :)
> >
> >
, its security is a crock :(
Do you have any suggestions (other than re-writing TWiki?) or should I
just disable that funcionality and run away?
Sven
On Tue, 2007-10-23 at 16:45 -0400, Joey Hess wrote:
> Sven Dowideit wrote:
> > the working/tmp dir is used for rcs tmp files, and twiki
bout them. The solution to make him understand this, is not
> to yell at him and stop explaining, but rather continue explaining in a
> friendly way.
>
> Sven, please ignore Nicos tone and have a look at
> http://en.wikipedia.org/wiki/Symlink_race :-)
>
>
> Thanks &a
ssion files which have their
own uniqued filename.
and so, I think you are in error, and need to read the code a little
before you make assertions like this.
Sven
On Sun, 2007-10-21 at 12:26 +0200, Nico Golde wrote:
> Hi Sven,
> * Sven Dowideit <[EMAIL PROTECTED]> [2007-10-
you ignore this, and Ardo, why did you upload this?
> >
> > Nico,
> >
> > Oops! Totally overlooked this one. Yes, that should never have been
> > uploaded.
> > (For a moment I was afraid I took the wrong version from Sven's website,
> > but
>
I took the wrong version from Sven's website,
> but
> this is the only version for this fix.)
>
> I also wasn't aware of you being involved in this.
>
> Sven,
>
> This is not good. Let's never do this again.
>
> Thanks,
> Ardo
>
>
--
P
I thought that Debian was supposed to be so close to releasing Etch that
I shouldn't change upstream versions so dramatically?
Sven
On Sun, 2007-03-11 at 09:12 +0100, Michael Biebl wrote:
> Package: twiki
> Severity: wishlist
>
> Hi,
>
> please consider packaging the latest version, which is 4.
l be another week (i think)
Sven
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
is mentioned in README.Debian, I didn't think the
> symlinks are needed. Here's a patch. As usual, it comes with an offer
> to NMU the package.
>
> Regards, Frank
>
>
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
I've made a new version of the package (that fixes this, and other
issues), and its waiting in my sponsor's queue
http://members.iinet.net.au/~spos/twiki_4.0.5-9_all.deb
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCR
Package: twiki
Version: 1:4.0.5-7
I expect to look into this on the weekend
Sven
On Thu, 2007-02-08 at 09:31 -0800, Peter Thoeny wrote:
> This is a security advisory for TWiki installations:
>
> Local users may cause TWiki to execute arbitrary code
> by creating CGI session files.
>
> * V
yes, TWiki does not run without a dataset.
if you don't use the sample topic set, the presumption is that you
are either upgrading, re-installing, or using your own.
Luca, can you suggest a better wording for the user prompt?
Cheers
Sven
(ps, I'm without computer for the next 3 weeks)
On
I think these are settings that are still set on the
TWiki.TWikiPreferences or Main.TWikiPreferences topic, not via
configure.
Basically, only settings that are accessible via the configure
interface, are gotten from LocalSite.cfg.
its an interesting suggestion for upstream - you could cr
heck y,
sorry, blindness causes bad side-effects :(
mind you, I personally wish debian would see the light, and create a
webserver-cgi pseudopackage, with a universal configuration builder
that way little packages like twiki would not have dependancies on
_any_ particular versions...
Che
ain
what i can.
Sven
On 04/11/2006, at 3:52 AM, Antony Gelberg wrote:
I haven't cc'd the bug 367973 that this comes from - Steve if you
want the background please see http://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=367973 and http://bugs.debian.org/twiki.
Sven Dowideit:
its
its stuff like this that just keeps depressing me into not finishing the
work i do packaging twiki for debian.
your officiousness is a joy, ta.
same sort of thing as when just before the last debian release came out,
and some one helpfully filed an un-reproducible RC bug, that didn't
happen for a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I implemented the .mailnotify suggestion in (20030201-3) - but i've been
reluctant to create a crontab magically
Sven
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/usr/lib/cgi-bin/nagios/grouplist.cgi is not a twiki script
Sven
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEARQpPAwzu0QrW+kRAp3sAJ9A1mjzWdKxIwdGlcqStM5IWY
> and this bug report can be closed?
>
> Micah
>
> Sven Dowideit wrote:
>
>>>while I think its very reasonable for you to send along these
>>>advisories, and even doing so as a BTS bug wothout testing them
>>>
>>>I think its incredibly rud
vulnerabilities in Debian. It is better to be asked once if this is an
> issue and have it properly noted, than for Debian to not pay attention
> to anything at all and be riddled with security holes.
>
> micah
>
>
>
> Sven Dowideit wrote:
>
>>>excellen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
excellent.
Micah, did you manage to reproduce this in the debian package at all?
you see, the debian package is significantly more secure than the
upstream version, and as you've marked it as grave, I presume that you
have found a way to make it happ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
why are you running a totally outdated twiki package?
http://packages.debian.org/unstable/web/twiki only lists 20040902-3, in
which this problem has been solved using the robustness patch from
Florian Weimer <[EMAIL PROTECTED]>
Cheers
Sven
Paul Sza
Isn't this already fixed in the latest version og the package? (20040902-3)
twiki (20040902-2) unstable; urgency=emergency
.
* removed Text::Diff, added depends libtext-diff-perl (Closes #29522)
* set twikiLibPath to /usr/share/perl5 in setlib.cfg (Closes #296461)
* applied robustness
cut 'r' and major
> ---
> > ($rev1) = $rev1 =~ /r?1\.(\d*)/; # cut 'r' and major
> > ($rev2) = $rev2 =~ /r?1\.(\d*)/; # cut 'r' and major
>
> Tristan
>
>
>
> On Sat, May 07, 2005 at 07:15:29PM +1000, Sven Dowideit wrote:
>
> Il giorno sab, 07-05-2005 alle 19:22 +1000, Sven Dowideit ha scritto:
> > While I'd agree that this is pretty grave really, I can't reproduce
> > this.
> >
> > is there any more info that you can give me?
> >
> > are you able to create / edit topi
While I'd agree that this is pretty grave really, I can't reproduce
this.
is there any more info that you can give me?
are you able to create / edit topics, add an attachement to a new topic,
or anything like this?
Sven
On Fri, 2005-04-22 at 11:09 +0200, Andrea Ceccanti wrote:
> Package: twiki
I'm sorry, but I cannot re-produce this. and when testing your suggested
change, I get other errors in my log.
is there any more information you can give me?
(what topics, what kind of changes, which particular diffs link)
Sven
On Mon, 2005-05-02 at 07:01 -0400, [EMAIL PROTECTED] wrote:
> Packa
as the original writer of the topic upgrading part of UpgradeTWiki
(though mine was really just a test / proof of concept) I would agree,
that right now, it would be best not to use the debian package on a
large complex twiki config - I'm intending it to become better, and am
working on UpgradeTWik
Frank,
i don't think gnusave is part of the twiki package.
are you fixing bugs in the gnu skin? in which case they need (at least
for now) to be reported and fixed upstream
Sven
On Wed, 2005-02-16 at 15:49 +0800, Frank Horowitz wrote:
> Package: twiki
> Version: 20040902-1
> Severity: importan
Package: twiki
Version: 20030201-6
you should be able to unpack plugins in /var/lib/twiki
This has been working for me with version 20030201-6 on Sarge (testing).
I think the way to best match what other Debian packages do would be to
have TWiki look in /usr/local for locally-installed template
I don't know if I've asked you (though I meant to) -
can you Please send me some info on how you get independant twiki's
configured and (possibly more importantly) how you get the multiple
apache installs working out?
I'm hoping that you are rolling your own deb's - :)
I'm about to upload a Cai
mmm,
I'd like to close this, without making any changes for now.
the apache.conf file is in this directory, but I think softlink to it in
the different apache conf directories. This keeps the twiki
configuration files together, while not losing the configuration when
you swap between apache, apa
66 matches
Mail list logo
