Your message dated Thu, 19 Sep 2013 21:17:44 +0000
with message-id <[email protected]>
and subject line Bug#721557: fixed in moin 1.9.3-1+squeeze5
has caused the Debian Bug report #721557,
regarding python-moinmoin: Trying to create page without write permissions (or
cancelling a creation of page) creates empty page directories
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
721557: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-moinmoin
Version: 1.9.4-8+deb7u1
Severity: normal
Tags: upstream patch
Control: found -1 1.9.5-5
Hi Steve,
We found to be affected by [1] at our workplace, which could in
principle be used to mount a minor denial of service attack on
moinmoin pages for users e.g. having a inode quota set (or in worst
case fill space in general, depending on protection for wiki
instance):
"An attempt by an unauthorized user to create a page fails when they
attempt to edit it, but leaves a junk directory behind in data/pages.
It appears that the ACL is not checked at page creation time."
I can confirm this behaviour: In both cases if
- a user with no write permissions tries creating a new page
- a user with write permissions cancels creating a new page
a data/pages/foo directory with an empty edit-log is created,
confirmed both for wheezy and unstable (squeeze not tested).
Upstream patch at [2] solves this problem.
Could this patch be applied to unstable? I would like to see this also
fixed for stable: if you are short on time I can prepare a debdiff to
be proposed to the stable release managers in that case (but I know
the issues needs first to be fixed in unstable).
[1]
http://moinmo.in/MoinMoinBugs/CreatingPagesWithoutWritePermissionCreatesEmptyPageDirectories
[2] http://hg.moinmo.in/moin/1.9/rev/6489ec33874d
Many thanks in advance for any feedback,
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: moin
Source-Version: 1.9.3-1+squeeze5
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 18 Sep 2013 06:43:51 -0700
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.9.3-1+squeeze5
Distribution: oldstable
Urgency: low
Maintainer: Jonas Smedegaard <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Description:
python-moinmoin - Python clone of WikiWiki - library
Closes: 721557
Changes:
moin (1.9.3-1+squeeze5) oldstable; urgency=low
.
* Backport fix from upstream: Do not create empty pagedir (with
empty edit-log). Closes: #721557
Checksums-Sha1:
a2f983e763133f236ebcf64231f3215dd1ca1364 1933 moin_1.9.3-1+squeeze5.dsc
6a50f6b8321a5c4cad98af3cac3a2d4794d98439 129799
moin_1.9.3-1+squeeze5.debian.tar.gz
9c065a98be13c0e4bd8da38dcc6b2a93f515affc 14992668
python-moinmoin_1.9.3-1+squeeze5_all.deb
Checksums-Sha256:
b328fa27130b1d8be2eed415766a169262c79449a3bd01c36ac695382c5f3e1f 1933
moin_1.9.3-1+squeeze5.dsc
54d314e380ee047ec1190ec4fdc7fed5229c8ddc951b7c86f2064f127771365b 129799
moin_1.9.3-1+squeeze5.debian.tar.gz
e7d04808907f4b1aea6697ed6dd07589a0e5986d84a90a37049e74dcd478e914 14992668
python-moinmoin_1.9.3-1+squeeze5_all.deb
Files:
758ddbd49577469fadf8daab06ca92e2 1933 net optional moin_1.9.3-1+squeeze5.dsc
f28ddddcd030cee9ede1f80eeb3624b2 129799 net optional
moin_1.9.3-1+squeeze5.debian.tar.gz
ec712f1906b8705bba996bc90d61d08b 14992668 python optional
python-moinmoin_1.9.3-1+squeeze5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJSOdvfAAoJEFh5eVc0QmhOU/kP/02GYx/LSVyg6/jQRJuxMsJw
GT2wrjRUy+wOci0ETX/ZvHZnXk7u6L7rF1qkUUmg4qunLTvvvIk+DfmSVLuqowC4
rxh/qNKoHQzCkoCPauTpvdn6tiWjVad4ceHlWEJ850NYxm2yAC/4CJ1KQJL+M8Tl
gRyoyq8fpfIYQF0XSTauFOZSwdy0T6O5fSS86AeIebKPs7dknvKTCMn2XvKmLOnZ
4qyQ1ZfLqk4gy/eHwSgmHwW7Q7DwfOHRN0eKHxVMUVcLp2/qyktd/UznqEyI8ZYo
al3f4abFkbF8Kb6lQn0ijNm3cntkuQ9FUlKANCb/9xJmwF+uut4OztC1apyPxRUU
Nr6LCgFBUdY6X1cOnek5NqSTxSYd4NAj/JOqm1+EgDPHmy/OfrmvGVVg7VC0rMt9
rrU7drZOy8FR3eX2WOKD8g9XLfU/vvinF/XZDsNe9fz4vz3byyNn35zc95HH7fBt
iYByFKnl0dk/dKp8kv/Mfv7QSdZ5lo0av3Lmsa8FOT+1B/rlkU74cEDqyE/C+N5I
J2MIytv9gBpgp9+je/nJSz4XUDSx4jUAd8WM1koMDJvUvg68Of1yLIosZloQjPIM
xVM5U5lJPGjP+6NoC7xMHaxoIdayZfGrk/vCBOG0lHoO7eNLnFddRQASZbTd/UKw
Ambsq9qfSLPzFwK2JYwP
=8lDT
-----END PGP SIGNATURE-----
--- End Message ---