Your message dated Mon, 14 May 2007 11:15:55 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed two years ago
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: security.debian.org
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 I cannot found contact address of alioth's administrator and 
 pseudo-packages in BTS (http://www.debian.org/Bugs/pseudo-packages),
 so I'll send to this package. 

 There are vulnerabilities in gforge as I've posted to BTS #291718
 and so it affects alioth. For example, if you browse with crafted
 URL like this, you'll see alioth's /home
 
http://alioth.debian.org/scm/controller.php?group_id=30390&dir=/cvsroot/libpst/CVSROOT/../../../../../..//home
 (Can you see this?)

 Please update alioth with updated gforge package or use workaround.

 
 Second, it's not vulnerability but not good thing as some kind
 of information leak. If alioth's php script get error, it appears
 in its page with script's location and line number. I think that 
 you should change php.ini to output its errors to not pages but 
 syslog or log files.


 Third, please add alioth pseudo-package in BTS :-)


- --
Regards,

 Hideki Yamane     henrich @ samba.gr.jp/iijmio-mail.jp



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB8ycHIu0hy8THJksRAjKoAJ94NHOMS0kJ/Q+T+bwT9H1rjX3NYQCgsDeo
UGzzXIKR7QQU29cc7emMHQU=
=ffpj
-----END PGP SIGNATURE-----


--- End Message ---
--- Begin Message ---
>> I just uploaded the workaround to Sid.  I'm now going to apply it to
>> Alioth's Gforge.

> Looks good. 
> Now I browsed with crafted URL, but it says "Page not found".
> Thanks, Roland.

Closing.


Thijs

--- End Message ---

Reply via email to