Your message dated Wed, 04 Sep 2013 23:48:21 +0000
with message-id <[email protected]>
and subject line Bug#721557: fixed in moin 1.9.7-1
has caused the Debian Bug report #721557,
regarding python-moinmoin: Trying to create page without write permissions (or
cancelling a creation of page) creates empty page directories
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721557: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-moinmoin
Version: 1.9.4-8+deb7u1
Severity: normal
Tags: upstream patch
Control: found -1 1.9.5-5
Hi Steve,
We found to be affected by [1] at our workplace, which could in
principle be used to mount a minor denial of service attack on
moinmoin pages for users e.g. having a inode quota set (or in worst
case fill space in general, depending on protection for wiki
instance):
"An attempt by an unauthorized user to create a page fails when they
attempt to edit it, but leaves a junk directory behind in data/pages.
It appears that the ACL is not checked at page creation time."
I can confirm this behaviour: In both cases if
- a user with no write permissions tries creating a new page
- a user with write permissions cancels creating a new page
a data/pages/foo directory with an empty edit-log is created,
confirmed both for wheezy and unstable (squeeze not tested).
Upstream patch at [2] solves this problem.
Could this patch be applied to unstable? I would like to see this also
fixed for stable: if you are short on time I can prepare a debdiff to
be proposed to the stable release managers in that case (but I know
the issues needs first to be fixed in unstable).
[1]
http://moinmo.in/MoinMoinBugs/CreatingPagesWithoutWritePermissionCreatesEmptyPageDirectories
[2] http://hg.moinmo.in/moin/1.9/rev/6489ec33874d
Many thanks in advance for any feedback,
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: moin
Source-Version: 1.9.7-1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Apr 2013 18:45:43 +0100
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.9.7-1
Distribution: unstable
Urgency: low
Maintainer: Steve McIntyre <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Description:
python-moinmoin - Python clone of WikiWiki - library
Closes: 704433 721557
Changes:
moin (1.9.7-1) unstable; urgency=low
.
* New upstream release (x2)
* Make sure that strings output to the external account creation checker
are marked as UTF-8.
* Re-add missing dependencies, fallout from the CDBS switch.
Closes: #704433
* Add dependency on python-passlib rather than use the bundled version.
* Update patches to fit upstream changes:
+ recaptcha.patch
+ subscribercache.patch
+ use_systemwide_libs.patch
+ mail-verification.patch
* Remove patches that were already from upstream:
+ constant_time_strcmp.patch
+ escape_css_url.patch
+ secure_taintfile_name.patch
+ escape_pagename_in_rss.patch
+ draw-taintfile.patch
+ attachfile-path-traversal.patch
* Split out the call to external account creation check into a separate
patch (external_account_creation_check.patch) instead of lumping it in
with mail-verification.patch
* Do not create empty pagedir (with empty edit-log). Patch from
upstream. Closes: #721557
Checksums-Sha1:
2e1126644122f25f06e04db827dc5df1ab7f8e5a 1863 moin_1.9.7-1.dsc
f07ce421a1dc5ff87b6fa7afd2728e2e133ad8c7 36911772 moin_1.9.7.orig.tar.gz
699615e2022f01d0a7d18a59a14724349180a40c 128340 moin_1.9.7-1.debian.tar.gz
b7e9d2d1e82539578df9213eaa7850789c86d8cf 8281404
python-moinmoin_1.9.7-1_all.deb
Checksums-Sha256:
125c4fd2b4a9b9a06b6678452f92a734afcad4383fb065420289cbcb2249ff67 1863
moin_1.9.7-1.dsc
f4ba1b5c956bd96d2a61e27e68d297aa63d1afbc80d5740e139dcdf0affb4db5 36911772
moin_1.9.7.orig.tar.gz
f50d7158b1cc13d0580d778f0fbb4ac38caa4aee0615643242391f476a45375f 128340
moin_1.9.7-1.debian.tar.gz
cbb735d3cd5886744ccfbcdfb6c5dc60b9a331d7d91427eec6a98fd3af99dc38 8281404
python-moinmoin_1.9.7-1_all.deb
Files:
1cc9337d006106f225e6c5a19fbb4495 1863 net optional moin_1.9.7-1.dsc
cc2b00f6a27717c097d27da34e8d3249 36911772 net optional moin_1.9.7.orig.tar.gz
26eb4b3d70f9c84d20a7cff69de6d046 128340 net optional moin_1.9.7-1.debian.tar.gz
c4101b75139fc49b95df9c724b40aa67 8281404 python optional
python-moinmoin_1.9.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJSJ8IsAAoJEFh5eVc0QmhOHrEP/j7rdLundJ6xFhSv1qEYz6wG
QRKseSlpxTDH1J2A2OIYP8t+wJmLKbj3IhARQTAvftru8TFy2G4qJrFurLD1Fh9c
ND2zqwg0nablhKyT0TsuqpLm+uQuKagcARWABV9rcJBfszd/6+mkIY7zi+u7joJO
kd5fCcmFN0yDqVuUXlS4Yc6DP6OuCaASfT2IZGTwahDassKB8c/kX41MwTHA3tBw
bb5OxvdfPcQuHhZmuGputVoHgpvHBYzTiEeaUfpOnTuPPrbxiMdEgNlqmK+qrBs1
wGislsnFJjbnZW1efsM6jdK6UpO1pWUPrtaEm4e5itEgwlakKo0pV2pd6KkT2Ptt
aKIaPzGZ9rl+ZgBG6Y65uW1ZH6vVLneKtwD32uNViV5BiI9dZiiNFWdTZH0xQlRv
ApIYcWFoTIG/rFbHljDQMWtUXybwwIAABfKNkx5cVycWbmyCrZxmFFjBzT6b2VnW
Ef7s0odMHn6vQHJEg3r1FSCh7t9ZuiefrQPxvHwEyTXHq3hR03qtNj7Cm5+/7i/8
jpaWk5ZhpYtQRZ8PK8aqq9Yd+mX0Da0O4UmAlUEyVrJ9Ni+l+x+xJ4z1Jk62OCDW
mpTM1ZBYA+br0aDPgtWNp0hc6UYM/N+chEy0D6o9zWXqSkz2Ma29NZLniTd9If9v
VkO+xENOMivETceH2ivx
=YSgd
-----END PGP SIGNATURE-----
--- End Message ---