Bug#891639: marked as done (uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal)

[Debian Bug Tracking System]

Your message dated Sun, 18 Mar 2018 13:18:43 +0000
with message-id <e1exycx-0003fp...@fasolo.debian.org>
and subject line Bug#891639: fixed in uwsgi 2.0.14+20161117-3+deb9u2
has caused the Debian Bug report #891639,
regarding uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of 
--php-docroot option allows for directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
891639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891639
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: uwsgi
Version: 2.0.7-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for uwsgi.

CVE-2018-7490[0]:
| uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
| --php-docroot option, allowing directory traversal.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7490
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
[1] https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: uwsgi
Source-Version: 2.0.14+20161117-3+deb9u2

We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated uwsgi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Mar 2018 09:05:43 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-src uwsgi-core uwsgi-emperor uwsgi-plugins-all 
uwsgi-infrastructure-plugins uwsgi-app-integration-plugins 
uwsgi-mongodb-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp 
uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-glusterfs 
uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip 
uwsgi-plugin-graylog2 uwsgi-plugin-gevent-python uwsgi-plugin-greenlet-python 
uwsgi-plugin-asyncio-python uwsgi-plugin-asyncio-python3 
uwsgi-plugin-tornado-python uwsgi-plugin-gccgo uwsgi-plugin-jvm-openjdk-8 
uwsgi-plugin-jwsgi-openjdk-8 uwsgi-plugin-ring-openjdk-8 
uwsgi-plugin-servlet-openjdk-8 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 
uwsgi-plugin-lua5.2 uwsgi-plugin-luajit uwsgi-plugin-mono uwsgi-plugin-psgi 
uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.3 
uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-v8 
uwsgi-plugin-php uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi
 libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg 
libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators 
python3-uwsgidecorators
 uwsgi-extra
Architecture: source
Version: 2.0.14+20161117-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: uWSGI packaging team <pkg-uwsgi-de...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 891639
Description: 
 libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
 libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
 libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
 libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
 libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
 libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
 python-uwsgidecorators - module of decorators for elegant access to uWSGI API 
(Python 2)
 python3-uwsgidecorators - module of decorators for elegant access to uWSGI API 
(Python 3)
 uwsgi      - fast, self-healing application container server
 uwsgi-app-integration-plugins - plugins for integration of uWSGI and 
application
 uwsgi-core - fast, self-healing application container server (core)
 uwsgi-dbg  - debugging symbols for uWSGI server and it's plugins
 uwsgi-emperor - fast, self-healing application container server (emperor 
scripts)
 uwsgi-extra - fast, self-healing application container server (extra files)
 uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
 uwsgi-mongodb-plugins - MongoDB/GridFS plugins for uWSGI
 uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
 uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
 uwsgi-plugin-asyncio-python - asyncio plugin for uWSGI (Python 2)
 uwsgi-plugin-asyncio-python3 - asyncio plugin for uWSGI (Python 3)
 uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
 uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
 uwsgi-plugin-fiber - Fiber plugin for uWSGI
 uwsgi-plugin-gccgo - GNU Go plugin for uWSGI
 uwsgi-plugin-geoip - GeoIP plugin for uWSGI
 uwsgi-plugin-gevent-python - gevent plugin for uWSGI (Python 2)
 uwsgi-plugin-glusterfs - GlusterFS storage plugin for uWSGI
 uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
 uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
 uwsgi-plugin-jvm-openjdk-8 - Java plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-jwsgi-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-ldap - LDAP plugin for uWSGI
 uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
 uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
 uwsgi-plugin-luajit - Lua WSAPI plugin for uWSGI (LuaJIT)
 uwsgi-plugin-mono - Mono/ASP.NET plugin for uWSGI
 uwsgi-plugin-php - PHP plugin for uWSGI
 uwsgi-plugin-psgi - Perl PSGI plugin for uWSGI
 uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
 uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
 uwsgi-plugin-rack-ruby2.3 - Rack plugin for uWSGI (${uwsgi:RubyKind})
 uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
 uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI 
(${uwsgi:RubyDefaultkind})
 uwsgi-plugin-ring-openjdk-8 - Closure/Ring plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-router-access - Access router plugin for uWSGI
 uwsgi-plugin-servlet-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
 uwsgi-plugin-tornado-python - tornado plugin for uWSGI (Python 2)
 uwsgi-plugin-v8 - JavaScript V8 plugin for uWSGI
 uwsgi-plugin-xslt - XSLT request plugin for uWSGI
 uwsgi-plugins-all - all available plugins for uWSGI
 uwsgi-src  - sources for uWSGI plugins
Changes:
 uwsgi (2.0.14+20161117-3+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * enforce php default document_root behaviour, to not show external files
     (CVE-2018-7490) (Closes: #891639)
Checksums-Sha1: 
 2a84a082023a2aaff48374e37ac37ca79f3f733e 9170 
uwsgi_2.0.14+20161117-3+deb9u2.dsc
 6915ef28001147ce3aae405377efde07fc2ccd8b 789935 
uwsgi_2.0.14+20161117.orig.tar.gz
 40f0b5fdd6d63f34d8b80a842d96dcf848cacefe 52780 
uwsgi_2.0.14+20161117-3+deb9u2.debian.tar.xz
Checksums-Sha256: 
 b09e742d82010286864575a68a3044af0b6abb2980239627e3b161d974abea66 9170 
uwsgi_2.0.14+20161117-3+deb9u2.dsc
 6000df9dedac39f41a919c6bfffbe43da302d34d42cc061b4ff4873c65a558ca 789935 
uwsgi_2.0.14+20161117.orig.tar.gz
 39b602313e798c10a837d233fb27cd91297e63e644276dee35f518850ed958f0 52780 
uwsgi_2.0.14+20161117-3+deb9u2.debian.tar.xz
Files: 
 5f8a3fcde6058dbb6a291c712d55661d 9170 web extra 
uwsgi_2.0.14+20161117-3+deb9u2.dsc
 8bcc0b9707dd5bb8106bce8f6715b7e6 789935 web extra 
uwsgi_2.0.14+20161117.orig.tar.gz
 c35ae46a80d97bcd1694f2312fa3ed5c 52780 web extra 
uwsgi_2.0.14+20161117-3+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsz4RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Er/cP/0BRT2eBRCMgeK4+Rw/lpbhsKDNC4o7t
gE/p/lSWo7gfDCdqOmplPEgEavVdKs09fkxEWkyVkDrFgxUHGYI9D/ORgtNFrSyJ
Z7NKuotx3hePQYbL0fr4nkGE0GmdVEJykuLSQIb3lljCOxxC7U264HegyZj+kJqf
V8wiUzSjMhnf4mFT37k1FEsV11lLnf052GAglQQeDArEjA/MjAV4CGNcsfKnbqdu
EjkBAmfBMi+TmUUe7x0ptdeDN8Es5WLIhFP6UHMCTpQaeMn52pdrD2b4MsPipsey
OjtwPjdytOZLEwmOOKgjrSbuMgkZ/2ggoMxFYOMpSFq/UkUNyJfIWW8gv8cx9S/m
/17iovvfg3gtfpBKG5C9nIhjxyThMW7JJslBtAJpQcNDpNyt/itmyso9yslRwrjY
UuLUUc0e6vqwE1CMOQowlr5+JICPZ16Lcddh4ACuVDpMvvHpc7S5rCza79m/jgVi
zGKvNM+u/mjr2d/73F5IgazDnoW1Yfp7bx/VcaHDtH2bWVxrwId3M3DZ0xveibtU
YFKX8wCFbFL5/ILTYmOSsTLmcDDRpcGbxxCNfe7o/ju+GG9ALab9OE+QwQ+xtDIO
cYbP/OH0y7iAMapk8G+GWZzCtBtfU68wkKBD6/9737+G0Xc7eSWK//ecHQ4JYCPo
L/mgOoqIh4R3
=sOP/
-----END PGP SIGNATURE-----

--- End Message ---