-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 19/01/13 10:09, Salvatore Bonaccorso wrote: > Hi Yves, > > On Mon, Jan 07, 2013 at 09:32:48PM +0100, Yves-Alexis Perez wrote: >> On lun., 2013-01-07 at 09:11 +0100, Daniel Pocock wrote: >>> On 07/01/13 07:27, Yves-Alexis Perez wrote: >>>> On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote: >>>> >>>>> Yes, the 3.1.8 security fix from upstream has been packaged >>>>> and has been waiting for security team to process through >>>>> to the archive >>>>> >>>> Can you elaborate on that? >>>> >>> >>> >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25 >>> >>> was done before I became a DD, so although I could upload the >>> fix into git.debian.org, I did not have any access to upload >>> any binary package >>> >>> Has somebody built and uploaded to the archive already? As it >>> is for current stable branch, can I upload myself or does the >>> security team take care of the upload? >> >> Please provide a debdiff against stable. > > I tried to look at this myself and found upstream commit [1], for > a similar commit. > > [1]: > https://github.com/ganglia/ganglia-web/commit/b9f47b0eb9ae81144e90544b04e85bed15c8c2f4 > > Comparing the diff 3.1.7 to 3.1.8 source I find this: > > ----cut---------cut---------cut---------cut---------cut---------cut----- > > diff -urN source-ganglia/ganglia-3.1.7/web/graph.php ganglia-3.1.8/web/graph.php > --- source-ganglia/ganglia-3.1.7/web/graph.php 2010-02-17 > 12:05:39.000000000 +0100 +++ ganglia-3.1.8/web/graph.php 2012-08-15 > 19:12:12.000000000 +0200 @@ -1,5 +1,5 @@ <?php -/* $Id: graph.php > 2183 2010-01-07 16:09:55Z d_pocock $ */ +/* $Id$ */ include_once > "./eval_config.php"; include_once "./get_context.php"; include_once > "./functions.php"; @@ -122,7 +122,7 @@ > > $graph_file = "$graphdir/$graph.php"; > > -if ( is_readable($graph_file) ) { +if ( is_readable($graph_file) > and realpath($graphdir) === dirname(realpath($graph_file)) ) { > include_once($graph_file); > > $graph_function = "graph_${graph}"; > ----cut---------cut---------cut---------cut---------cut---------cut----- > > By passing g= argument, it is possible to traverse the path and > load another file and execute code from it. > > Attached is the debdiff against 3.1.7-1 in squeeze. > > Regards, Salvatore Just following up on this - - I've added pkg-monitoring-maintain...@lists.alioth.debian.org to the CC, as there are more people now involved with Ganglia packaging - - if it is acceptable for the upload, I've also put the current Maintainer and VCS details in debian/control on the squeeze branch diff --git a/debian/changelog b/debian/changelog index a655fa6..0a0cb20 100644 - --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +ganglia (3.1.8-2) UNRELEASED; urgency=low + + * Package now under pkg-monitoring maintainership, update control + + -- Daniel Pocock <dan...@pocock.com.au> + ganglia (3.1.8-1) unstable; urgency=low * Fix for path injection security bug (Closes: #683584) diff --git a/debian/control b/debian/control index e308bad..4970f40 100644 - --- a/debian/control +++ b/debian/control @@ -1,10 +1,12 @@ Source: ganglia Section: net Priority: optional - -Maintainer: Stuart Teasdale <s...@debian.org> +Maintainer: Debian Monitoring Maintainers <pkg-monitoring-maintain...@lists.alioth.debian.org> Homepage: http://www.ganglia.info/ Build-Depends: debhelper (>> 5.0.0), librrd2-dev, autoconf, autotools-dev, automake, libapr1-dev, libexpat1-dev, python-dev, libconfuse-dev, po-debconf, libxml2-dev, libdbi0-dev, libpcre3-dev Standards-Version: 3.8.4 +Vcs-Git: git://git.debian.org/pkg-monitoring/ganglia.git +Vcs-Browser: http://git.debian.org/?p=pkg-monitoring/ganglia.git;a=summary Package: ganglia-monitor Architecture: any -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJQ+nP3AAoJEOm1uwJp1aqDN0kP/3g9SBcE5eHkDByH8db2Lu4E 1jFIHRbOUn/eOmK1YGcxW+t+sBzS4SJYLkXl6l+xnb9PJxRl6NnCNrJc+Vpam3ih f4z1A4gQyHGu9ahUreH0SixE4j8it/nGuxClcRctEJ802+BVnkHUncLxQZtKbisS 973BDcOU5+nyBcW93BomQGcy/E3Gozyu5KNrgOOvarKxMF8I+qUWuyfyqrv4qxn/ FQHLOKA+D+zEgrQagECD3/7HPeYE/nMCjb2EwdBp19/4UWbXHfb/m2+my3hSrZyn pn8BHrcTncDs7hYPve98v1WybjVH+/zZxs+BMaxsMQ8ouTdhxXC6snx5j9xf+QVf iP/fg/Hy0kFWRxmWBEDY+r0BB1mwXmY/noo7CaCBYLXW2KrFpbyC9ORx6qT62uwS ts4PfDiNnDnjWnbQ2zb4giQNLguq2gVhzCMpju1dDm8hfhvxLzAn98BvJjidFPcz Gj7ztmEXQo6wzBCa9K2YALtcoNo0xuSc+EtW9E/wfa9BeLppmI4hc/FaUiJmva7A 2DhLbdzAnNUJYDWrpopp6wovz5zO2b05OBf5d9ujun4X911WbyJbPLI4o7IKFOrC +SWdHlGkBE/7KXoreQcjItpl2DLAydT5ST+40S0T+KIZCDoDedjcSHYgFnmSPCOT MS1k7t+SPZi1HFWE466z =vdTp -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
