Bug#891639: marked as done (uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal)

[Debian Bug Tracking System]

Your message dated Sat, 17 Mar 2018 21:46:18 +0000
with message-id <e1exjec-0004ym...@fasolo.debian.org>
and subject line Bug#891639: fixed in uwsgi 2.0.7-1+deb8u2
has caused the Debian Bug report #891639,
regarding uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of 
--php-docroot option allows for directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
891639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891639
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: uwsgi
Version: 2.0.7-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for uwsgi.

CVE-2018-7490[0]:
| uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
| --php-docroot option, allowing directory traversal.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7490
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
[1] https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: uwsgi
Source-Version: 2.0.7-1+deb8u2

We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated uwsgi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Mar 2018 09:37:01 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-core uwsgi-emperor uwsgi-plugins-all 
uwsgi-infrastructure-plugins uwsgi-app-integration-plugins 
uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron 
uwsgi-plugin-emperor-pg uwsgi-plugin-rados uwsgi-plugin-rbthreads 
uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 
uwsgi-plugin-greenlet-python uwsgi-plugin-jvm-openjdk-7 
uwsgi-plugin-jwsgi-openjdk-7 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 
uwsgi-plugin-lua5.2 uwsgi-plugin-luajit uwsgi-plugin-psgi uwsgi-plugin-python 
uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.1 uwsgi-plugin-router-access 
uwsgi-plugin-sqlite3 uwsgi-plugin-v8 uwsgi-plugin-php uwsgi-plugin-xslt 
libapache2-mod-proxy-uwsgi libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi 
libapache2-mod-uwsgi-dbg libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg 
python-uwsgidecorators python3-uwsgidecorators uwsgi-extra
Architecture: all source
Version: 2.0.7-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Janos Guljas <ja...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 889753 891639
Description: 
 libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
 libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
 libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
 libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
 libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
 libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
 python-uwsgidecorators - module of decorators for elegant access to uWSGI API 
(Python 2)
 python3-uwsgidecorators - module of decorators for elegant access to uWSGI API 
(Python 3)
 uwsgi      - fast, self-healing application container server
 uwsgi-app-integration-plugins - plugins for integration of uWSGI and 
application
 uwsgi-core - fast, self-healing application container server (core)
 uwsgi-dbg  - debugging symbols for uWSGI server and it's plugins
 uwsgi-emperor - fast, self-healing application container server (emperor 
scripts)
 uwsgi-extra - fast, self-healing application container server (extra files)
 uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
 uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
 uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
 uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
 uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
 uwsgi-plugin-fiber - Fiber plugin for uWSGI
 uwsgi-plugin-geoip - GeoIP plugin for uWSGI
 uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
 uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
 uwsgi-plugin-jvm-openjdk-7 - Java plugin for uWSGI (OpenJDK 7)
 uwsgi-plugin-jwsgi-openjdk-7 - JWSGI plugin for uWSGI (OpenJDK 7)
 uwsgi-plugin-ldap - LDAP plugin for uWSGI
 uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
 uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
 uwsgi-plugin-luajit - Lua WSAPI plugin for uWSGI (LuaJIT)
 uwsgi-plugin-php - PHP plugin for uWSGI
 uwsgi-plugin-psgi - Perl PSGI and Coro::AnyEvent plugins for uWSGI
 uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
 uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
 uwsgi-plugin-rack-ruby2.1 - Rack plugin for uWSGI (${uwsgi:RubyKind})
 uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
 uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI 
(${uwsgi:RubyDefaultkind})
 uwsgi-plugin-router-access - Access router plugin for uWSGI
 uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
 uwsgi-plugin-v8 - JavaScript V8 plugin for uWSGI
 uwsgi-plugin-xslt - XSLT request plugin for uWSGI
 uwsgi-plugins-all - all available plugins for uWSGI
Changes:
 uwsgi (2.0.7-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
     (Closes: #889753)
   * enforce php default document_root behaviour, to not show external files
     (CVE-2018-7490) (Closes: #891639)
Checksums-Sha1: 
 2202948e8f7896e5807af6e14ba99f14da9440c3 6460 uwsgi_2.0.7-1+deb8u2.dsc
 0e9d1f881736674221d60a5dd5dfcbc25051d48b 772385 uwsgi_2.0.7.orig.tar.gz
 f9e205211a8338198a61d6674401b85f0203f019 43880 
uwsgi_2.0.7-1+deb8u2.debian.tar.xz
 d1faf9977b12fe76605ac37612548d8a661f307f 24086 
python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 3ed8387fd5da00752da3d234e2162366fd57aaa7 24232 
python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 061b57e93494ac65519088c2e3ed72743756c03c 38722 
uwsgi-extra_2.0.7-1+deb8u2_all.deb
Checksums-Sha256: 
 d3778942a02468db6d9222eef43f789dfe32af6b71951afa865c2e0484887555 6460 
uwsgi_2.0.7-1+deb8u2.dsc
 2938464d0277909854f55951cf7d114e0616efbd8dd0295da7da99e944cbc72a 772385 
uwsgi_2.0.7.orig.tar.gz
 94bf1a313e42d641e2e4281fd5908618ddffae141a45345a09adba13f4ae327c 43880 
uwsgi_2.0.7-1+deb8u2.debian.tar.xz
 8ea69d10929ad0dab545df0cb58d9ec0ff1ad8b96e2af0a5e7606992f932e070 24086 
python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 5af80417b95cbcb8a1c6388b16c9526b4900e59642b26812292574fed9a148d4 24232 
python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 97de3106672087332dc70013cb5892d40a9da061ac38ea47a54b11d5faf698d9 38722 
uwsgi-extra_2.0.7-1+deb8u2_all.deb
Files: 
 7432368f3243739171098119ae40e733 6460 web extra uwsgi_2.0.7-1+deb8u2.dsc
 c18da6536f2f47a204814225ba695042 772385 web extra uwsgi_2.0.7.orig.tar.gz
 9b94bf2f6a31e9bddf7b55a7d0be7787 43880 web extra 
uwsgi_2.0.7-1+deb8u2.debian.tar.xz
 a0cff23a472f9ff01e6a64e8f174c550 24086 python extra 
python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 8d123dd0b9f1d74ab5a92860e0cd8991 24232 python extra 
python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 70a95dddbc3cdc05e59712acaee62bf9 38722 web extra 
uwsgi-extra_2.0.7-1+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqs1mxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EylIP/285QN0bP7zVylFqCiRmGacntQyJlqVQ
8Ha/WuJhOQaSirUwv4noyLLCyM+dmyZej7neYCvu45DiD5rbCAW9z2PApBkl6xHn
AhTFNjryC5a1Dz5+v7igqaAb23DPsbuCvqYTw+HtojUZ2TAhlb49ep0CCW7Kfd4D
hRTyYuBP9tvmCTdapm73UqJbVuuV1ZwPyt0wZchaQ0EtXudQSN3AVEc2JqpK2zy7
OQlBJAJdNr/1B7e0zREknS2uP4KEWinohEMKiBoerEvXYNftFGK0yOUBZzRuUxup
ZAP8UUbF2ecZgD0kYlnFUnnA6WgxIEXlhno31flZng0CiDca6P1dKaV8V6hi5rmz
/X/VCZwoeX4rtxM+9s8MTcRiJ47bKtwdCr4gw4XDoOlprHfqjGNYa6x5WpmOPVCr
8nLVHEBzoBhWH27BTsgqyAg16IM4TnBZTcMR9O/rf/KX8NovuBCMVEU5OnHeKJbb
sur227s37x9qr68YFLpVToF4i9D0wPtjPBgwN1LExcYOHy9OlZ0LchJfgg+w64cq
SJ5bzwwYhIwLeUHv9s2fVeVVjDeG0QatIH7Gkppbq+hLHSWSIPq7P2MiViIOZj4v
jICNgt+aoBiYAMHbglrXxFHIeKxyRk0PyfX916BQgWXYSyZZSFQTwQ70HEPvzFPB
TVcH1RIa8Smq
=AUyC
-----END PGP SIGNATURE-----

--- End Message ---