Sadly, the upstream fix doesn't address the root cause of the url
parameter problem (and we've reported to them at least one exploit that
is unfixed by their patch), and I'm working on the Foswiki fork of
twiki, which is addressing the security issues we know about in what I
consider a more thoroug
ah, thanks :)
do I need to find and contact (and bribe with beer?) someone to
'convince release-manager'?
Sven
Vincent Bernat wrote:
> OoO En ce début d'après-midi ensoleillé du dimanche 24 août 2008, vers
> 15:33, Sven Dowideit <[EMAIL PROTECTED]> disait :
>
someone please upload it for me so it can go into Lenny?
Sven
Vincent Bernat wrote:
> OoO Pendant le temps de midi du samedi 16 août 2008, vers 12:36, Sven
> Dowideit <[EMAIL PROTECTED]> disait :
>
>> frustratingly, I'm not a DD
>> and Worse. I have an emer
, mediawiki,
>> etc. Each attempt to establish a webapps policy seems to be aborted.
>
> That's why I asked for advice on debian-devel@ with no success :(
> http://lists.debian.org/debian-devel/2008/08/msg00340.html
>
> Feel free to comment anyway ;)
>
> Best re
ncy
>> .
>>* squash softlink exploit on session directory (Closes: #494648)
>>* related issue with passthrough files (Closes: #468159)
>>* fix dependancys on apache* rather than apache*-common (Closes:
>> #482285)
>>* remove TWikiGuest use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ardo, Christian ..
I've just put an updated version of the twiki package at
http://distributedinformation.com/TWikiDebian/
that fixes both the security flaw Dmitry found, and a few other bad
oddities.
Could one of you by any chance take a look at i
similar to the change I have just coded and tested :)
thanks
Dmitry E. Oboukhov wrote:
> tags 494648 patch
> thanks
>
> Hi, Sven
>
> see my patch, please
>
> --
>
> . ''`. Dmitry E. Oboukhov
> : :’ : [EMAIL PROTECTED]
> `. `~’ GPGKey: 1024D / F8E26537 2006-11-21
> `- 1B23 D4F8 8EC0 D902 0
how would this would be different from ?
Debian Bug report logs - #468159
twiki: Redirect after Template Login failes
Olivier Berger wrote:
> On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote:
>> the best irony of this bug, is :
>>
>>> I've implemen
Dmitry E. Oboukhov wrote:
> On 00:38 Thu 14 Aug , Sven Dowideit wrote:
> SD> No, I was told by Nico or Joey that web apps should not be filling up
> SD> the /var filesystem with session files.
>
> SD> this is apparently also _not_ a solution.
>
> SD> /tmp
Yes, you should not share CGI::Session files, it does lead to leakage,
and really odd side effects.
Olivier Berger wrote:
> Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit :
>> On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote:
>>
>>> so Dmitry,
&g
No, I was told by Nico or Joey that web apps should not be filling up
the /var filesystem with session files.
this is apparently also _not_ a solution.
/tmp was determined in October 2007 as the best place
Dmitry E. Oboukhov wrote:
> On 00:17 Thu 14 Aug , Sven Dowideit wrote:
> SD&
So are you suggesting that I instead fill up /tmp directly with
thousands of cgisess_123412 files?
because the location that those files go into needs to be predictable -
so that each cgi script goes to the same place.
Julien Cristau wrote:
> On Wed, Aug 13, 2008 at 23:24:47 +1000, S
these are _WEB_ session files.
there are no user directories.
Dmitry E. Oboukhov wrote:
> SD> so Dmitry,
>
> SD> if you were trying to actually help get this fixed, I presume you would
> SD> have suggested that I just patch the code to
>
> SD> rm /tmp/twiki
> SD> and then create it?
>
> SD> o
so Dmitry,
if you were trying to actually help get this fixed, I presume you would
have suggested that I just patch the code to
rm /tmp/twiki
and then create it?
or what are you actually suggesting?
Sven
Dmitry E. Oboukhov wrote:
>
> Where?
>
> $curl
> http://ftp.nl.debian.org/debian/pool/
no, its got nothing to do with /var/lib/twiki/data etc, its the location
for session data - produced by CGI::Session etc.
Olivier Berger wrote:
> Le mercredi 13 août 2008 à 11:12 +0100, Steve Kemp a écrit :
>> On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
>
>>
:
>
> DBTS> #494648: The possibility of attack with the help of symlinks in some
> Debian packages
>
> DBTS> It has been closed by Sven Dowideit <[EMAIL PROTECTED]>.
>
> DBTS> Their explanation is attached below along with your original report.
> DBTS> If
k to /tmp/twiki, as per Nico's point
wrt to filling /var
Sven
Olivier Berger wrote:
> Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
>> Nico,
>>
>> /var/run - I'll keep that in mind for post lenny - I was really hoping
>> that debian had a
fuses the hell out of them.
Nico Golde wrote:
> Hi Olivier,
> * Olivier Berger <[EMAIL PROTECTED]> [2008-08-13 12:53]:
>> Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
> [...]
>>> I'm hoping for the next release that I can move everything in
t we're ok for the version that is going into
lenny - I'll close it as soon as i can find the docco for howto do that :/
Sven
Steve Kemp wrote:
> On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
>
>> I will have to assume that this report is indeed incorrect unles
d around the fs, including pollution the
perl lib dirs) so that TWiki people stop being totally confused by the
setup :/
Sven
Nico Golde wrote:
> Hi Sven,
> * Sven Dowideit <[EMAIL PROTECTED]> [2008-08-13 11:05]:
>> I'd need a second opinion on this report please.
>>
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guys,
I'd need a second opinion on this report please.
My recollection was that we squashed this in Bug#444982
If not, is there any chance that automated tool users are at least
required to help out with a bit more information that the alarmist text
ah, good find.
Ardo and Christian,
If I make an update to the 4.1.2 package, fixing this, and a couple of
other issues that I've been told about in the next 48 days, would one of
you be willing to upload it for me so it gets into Lenny?
Sven
Dmitry E. Oboukhov wrote:
> Package: twiki
> Severit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was hoping to have time for this today, but it seems not to be.
I would suggest using 'TWiki Configure User & Password' and setting the
configure save pwd to the same thing. (and making the username for it
'admin')
That way it will not need to chan
ote:
Le mardi 10 juin 2008 à 17:39 +1000, Sven Dowideit a écrit :
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue.
OK, here I strongly disagree.
You say you don't see as a "major issue" that any
Also, the patch was found, by you to be defective. So I was expecting to
see another round.
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole
In current state of the Debian package, if nothing is changed manually to the
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue. no-one on the security team suggested it was
either, leading me to believe that we had a consensus.
Sven
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: sec
as per Nico's point wrt to
filling /var
and fixed a few other bitzers
I've reported the issue upstream so we can look at doing a more lasting change
for the next release.
Sven
On Fri, 2007-10-26 at 16:57 +1000, Sven Dowideit wrote:
> ok, I'll implement this on the w/e, a
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
Sven
On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote:
> Sven Dowideit wrote:
> > neat summary Joey :)
> >
> >
, its security is a crock :(
Do you have any suggestions (other than re-writing TWiki?) or should I
just disable that funcionality and run away?
Sven
On Tue, 2007-10-23 at 16:45 -0400, Joey Hess wrote:
> Sven Dowideit wrote:
> > the working/tmp dir is used for rcs tmp files, and twiki
bout them. The solution to make him understand this, is not
> to yell at him and stop explaining, but rather continue explaining in a
> friendly way.
>
> Sven, please ignore Nicos tone and have a look at
> http://en.wikipedia.org/wiki/Symlink_race :-)
>
>
> Thanks &a
ssion files which have their
own uniqued filename.
and so, I think you are in error, and need to read the code a little
before you make assertions like this.
Sven
On Sun, 2007-10-21 at 12:26 +0200, Nico Golde wrote:
> Hi Sven,
> * Sven Dowideit <[EMAIL PROTECTED]> [2007-10-
is mentioned in README.Debian, I didn't think the
> symlinks are needed. Here's a patch. As usual, it comes with an offer
> to NMU the package.
>
> Regards, Frank
>
>
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
ain
what i can.
Sven
On 04/11/2006, at 3:52 AM, Antony Gelberg wrote:
I haven't cc'd the bug 367973 that this comes from - Steve if you
want the background please see http://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=367973 and http://bugs.debian.org/twiki.
Sven Dowideit:
its
its stuff like this that just keeps depressing me into not finishing the
work i do packaging twiki for debian.
your officiousness is a joy, ta.
same sort of thing as when just before the last debian release came out,
and some one helpfully filed an un-reproducible RC bug, that didn't
happen for a
> and this bug report can be closed?
>
> Micah
>
> Sven Dowideit wrote:
>
>>>while I think its very reasonable for you to send along these
>>>advisories, and even doing so as a BTS bug wothout testing them
>>>
>>>I think its incredibly rud
vulnerabilities in Debian. It is better to be asked once if this is an
> issue and have it properly noted, than for Debian to not pay attention
> to anything at all and be riddled with security holes.
>
> micah
>
>
>
> Sven Dowideit wrote:
>
>>>excellen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
excellent.
Micah, did you manage to reproduce this in the debian package at all?
you see, the debian package is significantly more secure than the
upstream version, and as you've marked it as grave, I presume that you
have found a way to make it happ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
why are you running a totally outdated twiki package?
http://packages.debian.org/unstable/web/twiki only lists 20040902-3, in
which this problem has been solved using the robustness patch from
Florian Weimer <[EMAIL PROTECTED]>
Cheers
Sven
Paul Sza
cut 'r' and major
> ---
> > ($rev1) = $rev1 =~ /r?1\.(\d*)/; # cut 'r' and major
> > ($rev2) = $rev2 =~ /r?1\.(\d*)/; # cut 'r' and major
>
> Tristan
>
>
>
> On Sat, May 07, 2005 at 07:15:29PM +1000, Sven Dowideit wrote:
>
I'm sorry, but I cannot re-produce this. and when testing your suggested
change, I get other errors in my log.
is there any more information you can give me?
(what topics, what kind of changes, which particular diffs link)
Sven
On Mon, 2005-05-02 at 07:01 -0400, [EMAIL PROTECTED] wrote:
> Packa
40 matches
Mail list logo
