Your message dated Mon, 14 May 2007 11:15:55 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed two years ago
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: security.debian.org
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I cannot found contact address of alioth's administrator and
pseudo-packages in BTS (http://www.debian.org/Bugs/pseudo-packages),
so I'll send to this package.
There are vulnerabilities in gforge as I've posted to BTS #291718
and so it affects alioth. For example, if you browse with crafted
URL like this, you'll see alioth's /home
http://alioth.debian.org/scm/controller.php?group_id=30390&dir=/cvsroot/libpst/CVSROOT/../../../../../..//home
(Can you see this?)
Please update alioth with updated gforge package or use workaround.
Second, it's not vulnerability but not good thing as some kind
of information leak. If alioth's php script get error, it appears
in its page with script's location and line number. I think that
you should change php.ini to output its errors to not pages but
syslog or log files.
Third, please add alioth pseudo-package in BTS :-)
- --
Regards,
Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB8ycHIu0hy8THJksRAjKoAJ94NHOMS0kJ/Q+T+bwT9H1rjX3NYQCgsDeo
UGzzXIKR7QQU29cc7emMHQU=
=ffpj
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
>> I just uploaded the workaround to Sid. I'm now going to apply it to
>> Alioth's Gforge.
> Looks good.
> Now I browsed with crafted URL, but it says "Page not found".
> Thanks, Roland.
Closing.
Thijs
--- End Message ---