Hi Amaya,
* Amaya [EMAIL PROTECTED] [2007-10-29 10:40]:
Sven Dowideit wrote:
I've uploaded a new version to
http://distributedinformation.com/TWikiDebian/ (twiki_4.1.2-3_all.deb)
Please remove me from uploaders.
I am going to sponsor the twiki upload now.
Sven, no need to make a new
Nico Golde wrote:
I just remove Amaya from Uploaders before the build
thx!
but please keep track on it in future versions then.
I am subscribed to the pts.
Happy sponsoring!
--
·''`. If I can't dance to it, it's not my revolution
: :' :
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2007-10-29 08:34]:
I've uploaded a new version to
http://distributedinformation.com/TWikiDebian/ (twiki_4.1.2-3_all.deb)
* secure /var/www/twiki/pub/_work_areas (Closes: #444982)
CVE-2007-5193
* session files in /tmp/twiki, and add
Sven Dowideit wrote:
I've uploaded a new version to
http://distributedinformation.com/TWikiDebian/ (twiki_4.1.2-3_all.deb)
Please remove me from uploaders.
--
·''`. If I can't dance to it, it's not my revolution
: :' :-- Emma Goldman
righto,
I've uploaded a new version to
http://distributedinformation.com/TWikiDebian/ (twiki_4.1.2-3_all.deb)
* secure /var/www/twiki/pub/_work_areas (Closes: #444982)
CVE-2007-5193
* session files in /tmp/twiki, and add O_EXCL to files that go there
* updated Vietnamese
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
Sven
On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote:
Sven Dowideit wrote:
neat summary Joey :)
The reason that I made it world writeable, is
Hi,
On Tuesday 23 October 2007 22:14, Joey wrote:
I would not recommend considering this wikipedia page an authoratitive
reference for what can and cannot be used for symlink attacks.
Right.
Nonetheless I found it useful to quickly point out the problem, even if the
solution is not optimal.
Hi Holger,
* Holger Levsen [EMAIL PROTECTED] [2007-10-26 13:54]:
On Tuesday 23 October 2007 22:14, Joey wrote:
I would not recommend considering this wikipedia page an authoratitive
reference for what can and cannot be used for symlink attacks.
[...]
Does the (testing) security team have a
I have a few questions:
Whats the difference between
chmod 777 /var/lib/twiki/working/tmp
and
chmod 777 /tmp/twiki
as that is all it seems to me you're suggesting is the difference
between a CVE raised on a maybe problem that requires a very odd set of
circumstances and what you have
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2007-10-23 10:37]:
I have a few questions:
Whats the difference between
chmod 777 /var/lib/twiki/working/tmp
and
chmod 777 /tmp/twiki
Can you please read the mail I wrote and Cced you in?
I remember I wrote The old solution is of course
Hi Sven,
btw about the insecure permissions, here you have the next
thing:
[EMAIL PROTECTED]:~$] ls -l /var/lib/twiki/data/.htpasswd
-rw-rw-r-- 1 www-data www-data 25 2007-10-23 10:56 /var/lib/twiki/data/.htpasswd
I guess this is also not intended.
Kind regards
Nico
--
Nico Golde -
Nico,
On Tuesday 23 October 2007 10:51, you wrote:
NOONE SAID THERE IS ANY WEBCONTENT STORED IN THERE, CAN YOU
PLEASE JUST READ UP WHAT A SYMLINK ATTACK IS? THANKS!
This is the last mail from my side as long as you ignore
what I wrote in previous mails.
I understand your frustration (that
mmm, following the link makes me even less convinced that there is a
problem.
the working/tmp dir is used for rcs tmp files, and twiki session files,
both of which use randomised unique filenames.
as the Wikipedia page suggests that the problem is avoided by using
randomised filenames, we seem
Hi Sven,
ok trying again in a friendly way.
* Sven Dowideit [EMAIL PROTECTED] [2007-10-23 15:10]:
mmm, following the link makes me even less convinced that there is a
problem.
the working/tmp dir is used for rcs tmp files, and twiki session files,
both of which use randomised unique
Holger Levsen wrote:
Sven, please ignore Nicos tone and have a look at
http://en.wikipedia.org/wiki/Symlink_race :-)
I would not recommend considering this wikipedia page an authoratitive
reference for what can and cannot be used for symlink attacks.
In particular, chosing a random filename
Sven Dowideit wrote:
the working/tmp dir is used for rcs tmp files, and twiki session files,
both of which use randomised unique filenames.
rcs opens its temp files with O_EXCL, so I don't think it will be vulnerable
to symlink attacks.
In twiki 4.1.2, I quickly found some temp file problems.
neat summary Joey :)
The reason that I made it world writeable, is that twiki cgi's can be
run from the command line by anyone, and in doing so, create a session
file.
This is used by cronjobs, and so that users can script additions to
topics etc.
Basically, like much of the rest of TWiki, its
Sven Dowideit wrote:
neat summary Joey :)
The reason that I made it world writeable, is that twiki cgi's can be
run from the command line by anyone, and in doing so, create a session
file.
This is used by cronjobs, and so that users can script additions to
topics etc.
Makeing the
Bizzre,
I don't have any email from Holger, at any time, nor did I search for a
new sponsor. Ardo has been sponsoring this package for the last few
years, with Amaya helping me out both with the debian bits, and with
uploading when things were busy.
so, um, what are you debian people up to?
I
ok, following the url..
Nico, you seem to me to be incorrect.
777 is on the working/tmp dir only, which is not used for any web
content. Also, as the twiki cgi scripts are callable from the command
line by any user, requiring the working/tmp dir to be writable by any
user, I can't think of any
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2007-10-21 11:57]:
Bizzre,
I don't have any email from Holger, at any time, nor did I search for a
new sponsor. Ardo has been sponsoring this package for the last few
years, with Amaya helping me out both with the debian bits, and with
uploading
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2007-10-21 11:57]:
ok, following the url..
Nico, you seem to me to be incorrect.
777 is on the working/tmp dir only, which is not used for any web
content.
I didn't say this but twiki is using it, no?
Lets assume you put a symlink in there with
Sven Dowideit a écrit :
Bizzre,
I don't have any email from Holger, at any time, nor did I search for a
new sponsor. Ardo has been sponsoring this package for the last few
years, with Amaya helping me out both with the debian bits, and with
uploading when things were busy.
so, um, what are you
Hi,
errm why on earth did you (Sven) search for another sponsor when
Holger was looking into your package but decided not to
upload it because of the changes you made?
You searched a new sponsor with exactly the same debdiff.
I am sorry but it looks like this was intentionally because
I Cced
Nico Golde wrote:
Hi,
errm why on earth did you (Sven) search for another sponsor when
Holger was looking into your package but decided not to
upload it because of the changes you made?
You searched a new sponsor with exactly the same debdiff.
I am sorry but it looks like this was
25 matches
Mail list logo
