Bug#404297: marked as done (webcalendar: default Debian config has register_globals on)

[Debian Bug Tracking System]

Your message dated Sun, 15 Apr 2007 09:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#404297: fixed in webcalendar 1.0.5-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: webcalendar
Version: 1.0.4-1
Severity: serious
Tags: security

Hi,

When doing a default Debian install of webcalendar, you end up with a
configuration that has register_globals set to On:

        <DirectoryMatch /usr/share/webcalendar/www/>
            Options +FollowSymLinks
            AllowOverride None
            order allow,deny
            allow from all
            php_flag magic_quotes_gpc On
            php_flag track_vars On
            php_flag register_globals On
            php_value include_path .
            # you can use this environment variable to tell webcalendar to use a
            # different conf file than the default listed here
            SetEnv WEBCALENDAR_CONFIG_FILE /etc/webcalendar/settings.conf
        </DirectoryMatch>

This is bad - the register_globals setting has been defaulted to Off for
years in PHP for a very good reason: it opens up a lot more
possibilities for security issues.

The Debian security team does not support installations with
register_globals on. Hence, this package is unsupportable in its default
configuration. That warrants a "serious" bug to me.

Given that:
 * Webcalendar has had two unacknowledged NMU's;
 * The maintainer hasn't been active since 2005 in Debian with one
   exception an upload in April;
 * There's been a significant number of webcalendar security issues
   in the past years;
there should either be an active maintainer for this package or it
should not be shipped in etch.


Thijs

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: webcalendar
Source-Version: 1.0.5-1

We believe that the bug you reported is fixed in the latest version of
webcalendar, which is due to be installed in the Debian FTP archive:

webcalendar_1.0.5-1.diff.gz
  to pool/main/w/webcalendar/webcalendar_1.0.5-1.diff.gz
webcalendar_1.0.5-1.dsc
  to pool/main/w/webcalendar/webcalendar_1.0.5-1.dsc
webcalendar_1.0.5-1_all.deb
  to pool/main/w/webcalendar/webcalendar_1.0.5-1_all.deb
webcalendar_1.0.5.orig.tar.gz
  to pool/main/w/webcalendar/webcalendar_1.0.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Elizabeth Bevilacqua <[EMAIL PROTECTED]> (supplier of updated webcalendar 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 15 Apr 2007 10:27:19 +0200
Source: webcalendar
Binary: webcalendar
Architecture: source all
Version: 1.0.5-1
Distribution: unstable
Urgency: low
Maintainer: Elizabeth Bevilacqua <[EMAIL PROTECTED]>
Changed-By: Elizabeth Bevilacqua <[EMAIL PROTECTED]>
Description: 
 webcalendar - PHP-Based multi-user calendar
Closes: 374752 375308 381190 384224 389543 404297
Changes: 
 webcalendar (1.0.5-1) unstable; urgency=low
 .
   [ Elizabeth Bevilacqua ]
   * New upstream release (this version fixes vulnerability CVE-2007-1343)
   * debian/apache.conf - Turned register_globals Off (closes: #404297)
   * debian/control maintainer change for adoption of package
   * Revised Depends:, Recommends:, and Suggests:
   * Added debian/NEWS
   * Acknowledge NMUs:
     + Closes: #389543, thanks Steinar H. Gunderson
     + Closes: #374752, #381190, #384224, thanks Thijs Kinkhorst
 .
   [ Rafael Laboissiere ]
   * debian/control:
     + Added my name to the Uploaders field
     + Added XS-Vcs-Svn and XS-Vcs-Browser fields
   * debian/watch: Fixed regular pattern to avoid considering
     WebCalendar-devel-* upstream tarballs
   * debian/patches/01_config_patch.dpatch: Removed part of this patch that
     was preventing die_miserable_death() to echo error messages
     (closes: #375308)
   * debian/patches/02_pgsql_patch.dpatch: Adapted for version 1.0.5
   * debian/webcalendar.links, debian/dirs, debian/install: Put the
     install SQL scripts in the correct place, such that they are found by
     dbconfig-common
   * debian/apache.conf: Declared index.php as a DirectoryIndex, such that
     the URL http://<host>/webcalendar/ works
   * debian/webcalendar.prerm: Added pre-removal script, which allows
     dbconfig-common to ask the user whether the database should be dropped
     on purge
Files: 
 1234fabbd372419a9fa8299d3093b610 836 web optional webcalendar_1.0.5-1.dsc
 003f730a3c48bfa7b384104b89b84d34 890163 web optional 
webcalendar_1.0.5.orig.tar.gz
 e797b55c9a1741af4cd7f84238caaca3 22779 web optional webcalendar_1.0.5-1.diff.gz
 1574978a101b8fc49696e85dbe438373 719016 web optional 
webcalendar_1.0.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGIeY5k3oga0pdcv4RAmamAKCTElTyZNisl5RwRkMA5UEDlCU4lQCcD69J
QyEH5FtjJpbz25oAvMAHWeA=
=98y5
-----END PGP SIGNATURE-----

--- End Message ---