Your message dated Mon, 16 Sep 2013 21:32:06 +0000
with message-id <[email protected]>
and subject line Bug#721557: fixed in moin 1.9.4-8+deb7u2
has caused the Debian Bug report #721557,
regarding python-moinmoin: Trying to create page without write permissions (or
cancelling a creation of page) creates empty page directories
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721557: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-moinmoin
Version: 1.9.4-8+deb7u1
Severity: normal
Tags: upstream patch
Control: found -1 1.9.5-5
Hi Steve,
We found to be affected by [1] at our workplace, which could in
principle be used to mount a minor denial of service attack on
moinmoin pages for users e.g. having a inode quota set (or in worst
case fill space in general, depending on protection for wiki
instance):
"An attempt by an unauthorized user to create a page fails when they
attempt to edit it, but leaves a junk directory behind in data/pages.
It appears that the ACL is not checked at page creation time."
I can confirm this behaviour: In both cases if
- a user with no write permissions tries creating a new page
- a user with write permissions cancels creating a new page
a data/pages/foo directory with an empty edit-log is created,
confirmed both for wheezy and unstable (squeeze not tested).
Upstream patch at [2] solves this problem.
Could this patch be applied to unstable? I would like to see this also
fixed for stable: if you are short on time I can prepare a debdiff to
be proposed to the stable release managers in that case (but I know
the issues needs first to be fixed in unstable).
[1]
http://moinmo.in/MoinMoinBugs/CreatingPagesWithoutWritePermissionCreatesEmptyPageDirectories
[2] http://hg.moinmo.in/moin/1.9/rev/6489ec33874d
Many thanks in advance for any feedback,
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: moin
Source-Version: 1.9.4-8+deb7u2
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 Sep 2013 14:44:37 -0700
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.9.4-8+deb7u2
Distribution: stable
Urgency: low
Maintainer: Jonas Smedegaard <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Description:
python-moinmoin - Python clone of WikiWiki - library
Closes: 721557
Changes:
moin (1.9.4-8+deb7u2) stable; urgency=low
.
* Backport fix from upstream: Do not create empty pagedir (with
empty edit-log). Closes: #721557
Checksums-Sha1:
9d9787c6b508f15cd1f31b84a17656612c7666a2 1977 moin_1.9.4-8+deb7u2.dsc
0f42726207e5b01f30d269c6547c52f333432cee 132755
moin_1.9.4-8+deb7u2.debian.tar.gz
e625a50f7ebe9b0283b5238a6b2e6768c8062e21 21417954
python-moinmoin_1.9.4-8+deb7u2_all.deb
Checksums-Sha256:
edd1d2b286ab23a1651b8f6df0127c3edd2a54e8c719b961e4bbcae1fcbe2c5a 1977
moin_1.9.4-8+deb7u2.dsc
f3232b30e27308b4e62c09a626619d41be462a687c04d5ad10cfa56779c9bcea 132755
moin_1.9.4-8+deb7u2.debian.tar.gz
b546a204359dd8ce1f19fa2ab54b29af3d0f5cf86e428feaa1e9657dd7f5673b 21417954
python-moinmoin_1.9.4-8+deb7u2_all.deb
Files:
666a3058f4a72736bb2a0ba862e7da0e 1977 net optional moin_1.9.4-8+deb7u2.dsc
0ed0b3dc170ba8218261d67d98d8e0c5 132755 net optional
moin_1.9.4-8+deb7u2.debian.tar.gz
dd943449d1ff569591b4aed733eb792b 21417954 python optional
python-moinmoin_1.9.4-8+deb7u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJSNz9WAAoJEFh5eVc0QmhO+bcQAJIpXBZ661NPVoPz2ZM+r8ow
tVlXn67OXCmfiXKb/bbTYhMXnTuLboMdUCdTiHPsnCRNO9kwV1m1ZoioUMCKSzuP
EGH7wrV0KSEdiOoOrCXWiO0mPYipMeSleAZdZB9nHQd/BsVucnUUXiVymHkdk44q
/5vDVKWHkq+zRJhysubNrQiPIOi+Q/N91RdmSkliOHsmTi+vDcBCYLHQuufEUxdW
ibs/X7t3mZ3ZbdjzG9yNSSBYoQM9I1CrCWzd/SQ1ExVeT266vHJv+1EELKCUfCon
sH24BgDO7TiPPq8n1oUhUikV6pT6gZXDUg0ErwLqGE7dE4i3RJrx1dzcgM6u0R11
qJdlOcB8aj/1mWobOl3bQBcvrkEjulFqLtpsS/GOi0GBf648R4EdM1YCwI7PVWT0
EGcyPFIT9C+63CHsKBOcjnjGxjeTQfwhi6EwX51ijEhAuLWXRdU/+HiUKmzJnvfl
XBSbnVUHE3VSUHB9NCUuI+BGMCqCb1gkU7Oo03hfV5e2Azf80VA61DupA/L6ttXi
izmQ5ekBBaJ3btQzwfyy2JrKUz1lvQuJnp+Xb2CutT6HFTC5MCCOHyDTSkc8+3RV
PFYemrsyfA108DIhdkyBO+8BpIZCXc8ORi9JePEXvfB1yFam859/xmYBKm6WHZVQ
GbagpcodC5mUQaxTEHc2
=NT5Z
-----END PGP SIGNATURE-----
--- End Message ---