Your message dated Sun, 18 Mar 2018 07:50:18 +0000
with message-id <[email protected]>
and subject line Bug#891639: fixed in uwsgi 2.0.15-10.4
has caused the Debian Bug report #891639,
regarding uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of
--php-docroot option allows for directory traversal
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
891639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891639
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: uwsgi
Version: 2.0.7-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for uwsgi.
CVE-2018-7490[0]:
| uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
| --php-docroot option, allowing directory traversal.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7490
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
[1] https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: uwsgi
Source-Version: 2.0.15-10.4
We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated uwsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Mar 2018 09:21:22 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-src uwsgi-dev uwsgi-core uwsgi-emperor
uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins
uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron
uwsgi-plugin-emperor-pg uwsgi-plugin-glusterfs uwsgi-plugin-rados
uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip
uwsgi-plugin-graylog2 uwsgi-plugin-gevent-python uwsgi-plugin-greenlet-python
uwsgi-plugin-asyncio-python uwsgi-plugin-asyncio-python3
uwsgi-plugin-tornado-python uwsgi-plugin-gccgo uwsgi-plugin-jvm-openjdk-8
uwsgi-plugin-jwsgi-openjdk-8 uwsgi-plugin-ring-openjdk-8
uwsgi-plugin-servlet-openjdk-8 uwsgi-plugin-ldap uwsgi-plugin-lua5.1
uwsgi-plugin-lua5.2 uwsgi-plugin-mono uwsgi-plugin-psgi uwsgi-plugin-python
uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.5 uwsgi-plugin-router-access
uwsgi-plugin-sqlite3 uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi
libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg
libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators
python3-uwsgidecorators
uwsgi-extra
Architecture: source
Version: 2.0.15-10.4
Distribution: unstable
Urgency: medium
Maintainer: uWSGI packaging team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 891639
Description:
libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
python-uwsgidecorators - module of decorators for elegant access to uWSGI API
(Python 2)
python3-uwsgidecorators - module of decorators for elegant access to uWSGI API
(Python 3)
uwsgi - fast, self-healing application container server
uwsgi-app-integration-plugins - plugins for integration of uWSGI and
application
uwsgi-core - fast, self-healing application container server (core)
uwsgi-dbg - debugging symbols for uWSGI server and it's plugins
uwsgi-dev - fast, self-healing application container server (headers)
uwsgi-emperor - fast, self-healing application container server (emperor
scripts)
uwsgi-extra - fast, self-healing application container server (extra files)
uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
uwsgi-plugin-asyncio-python - asyncio plugin for uWSGI (Python 2)
uwsgi-plugin-asyncio-python3 - asyncio plugin for uWSGI (Python 3)
uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
uwsgi-plugin-fiber - Fiber plugin for uWSGI
uwsgi-plugin-gccgo - GNU Go plugin for uWSGI
uwsgi-plugin-geoip - GeoIP plugin for uWSGI
uwsgi-plugin-gevent-python - gevent plugin for uWSGI (Python 2)
uwsgi-plugin-glusterfs - GlusterFS storage plugin for uWSGI
uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
uwsgi-plugin-jvm-openjdk-8 - Java plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-jwsgi-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-ldap - LDAP plugin for uWSGI
uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
uwsgi-plugin-mono - Mono/ASP.NET plugin for uWSGI
uwsgi-plugin-psgi - Perl PSGI plugin for uWSGI
uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
uwsgi-plugin-rack-ruby2.5 - Rack plugin for uWSGI ()
uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI ()
uwsgi-plugin-ring-openjdk-8 - Closure/Ring plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-router-access - Access router plugin for uWSGI
uwsgi-plugin-servlet-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
uwsgi-plugin-tornado-python - tornado plugin for uWSGI (Python 2)
uwsgi-plugin-xslt - XSLT request plugin for uWSGI
uwsgi-plugins-all - all available plugins for uWSGI
uwsgi-src - sources for uWSGI plugins
Changes:
uwsgi (2.0.15-10.4) unstable; urgency=medium
.
* Non-maintainer upload.
* enforce php default document_root behaviour, to not show external files
(CVE-2018-7490) (Closes: #891639)
Checksums-Sha1:
b35edb9c0f0441112520e8f7ba9a28b58bddc776 8121 uwsgi_2.0.15-10.4.dsc
ba4ed3305ce74012fd6be50ad0af4d6015274546 55420 uwsgi_2.0.15-10.4.debian.tar.xz
Checksums-Sha256:
b5334f83821d5eb47d953ef90eb4b243f2ed5c8397a179554e29455bf0a09c6e 8121
uwsgi_2.0.15-10.4.dsc
c426629a43295c1e6d4555a8ac3dd35bf2926e44b325174552ebe57217ebb035 55420
uwsgi_2.0.15-10.4.debian.tar.xz
Files:
b511a4db46f187773b2e0835f265d128 8121 httpd optional uwsgi_2.0.15-10.4.dsc
9c032835a69f8d8dbd81c61818d56670 55420 httpd optional
uwsgi_2.0.15-10.4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqs0zFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmIgP/A6flXshOFQ3TyExzz4bzyiWQ6KhpLrt
izA6ZUgB4Vx5SCo+5gNdMrWhO2i7QcZDSzDciF2oF09wuggHJA6yaE3zoDhX4+UM
P6AH+AShio11dd2KpiW3uAyxA4HOUscjiwgelCI7G3zULPqwxAHQQgDPErCwkE4r
2JQBsMJ6sAtuRSXC3XR/clS78gVkg+QndIwpJ1VD7k+ZzsEW9sT/ZC5bn25qE+qs
hFrW4iALFmAJZLE0l0upuaiONV+yCqAgiRLm3XZQK/H/2Cd4GIRIi/7ci6bKwkVe
TSmgdrYJergniKyqaCkLSWrEKGdaV/Pzqy6b22djM3ggOqEwXD8Gh+hiKBfcvTHG
+znDNOMkdUzv4vqCebJLVD8MLoBFdayllyQxpe+Rf/mAbwjRqGyXqfjAuFOdHEMc
zGFB9Dgo14rZrcY64B18tMM/Xj9bpXbFjSncjM4gcKCIf5FfURSvv0sh+deKM/RR
96WL5kXxMMdWut5kOGaxgKmaAIVYmeduiYgsIRurioUfCeH8bxIT4ioK5sjG5Xvi
K+RosgoIsi+gbTjbhPzX1EVgMWqeaab7zk46ndHVR3wPGxLL55a+7QnPLxejlTVl
ZrYgt1a9Iym/ZpK8sh3Hyu1t+OFU9S3deQuoVK9IV6u9oaoE6EFRJGy4nD3neEXT
dkbTwe2/eLhZ
=7JPO
-----END PGP SIGNATURE-----
--- End Message ---
