Your message dated Fri, 06 Mar 2026 20:44:58 +0000
with message-id <[email protected]>
and subject line Bug#1128380: fixed in uwsgi 2.0.31-3
has caused the Debian Bug report #1128380,
regarding uwsgi: security, etc.: world writable PID file, ...
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128380: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128380
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: uwsgi
Version: 2.0.21-5.1
Severity: normal
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Dear Debian Security Team / Maintainer,
Security: likely local only, world writeable PID file,
umask(0), possibly (unknown?) additional issues?
Probably (quite?) minor security issue, also
(unconfirmed) issue may be masked by those using systemd.
Likely issue from upstream (not confirmed),
Likely from at least Version: 2.0.21-5.1 through
most current Debian Version (2.0.31) as this is being
submitted.
Would appear to come from, e.g.:
uwsgi-2.0.21/core/utils.c:162: umask(0);
uwsgi-2.0.28/core/utils.c:162: umask(0);
uwsgi-2.0.31/core/utils.c:162: umask(0);
Further details (including (partial?) work-arounds) below:
Dear Maintainer,
What led up to the situation?
Encountered, e.g. (may be reformatted a bit):
# /etc/init.d/mailman3-web stop
Stopping Mailman3-web uWSGI service:
mailman3-webstart-stop-daemon: matching on world-writable
pidfile /run/mailman3-web/mailman3-web.pid is insecure
failed!
#
Analyzed and tracked issue back (strace, etc.):
$ stat -c '%a %u %g %F %n' \
> /run/mailman3-web/mailman3-web.pid
666 0 0 regular file /run/mailman3-web/mailman3-web.pid
$
/etc/init.d/mailman3-web -->
start-stop-daemon -->
/usr/bin/uwsgi_python3 --ini /etc/mailman3/uwsgi.ini \
--pidfile /run/mailman3-web/mailman3-web.pid --daemonize \
/var/log/mailman3/web/mailman-web.log
/usr/bin/uwsgi_python3 -->
/etc/alternatives/uwsgi_python3 -->
/usr/bin/uwsgi-core:
umask(000)
openat(... /run/mailman3-web/mailman3-web.pid
uwsgi-core (e.g. 2.0.21-5.1) -->
src:uwsgi, e.g.:
uwsgi-2.0.21/core/utils.c:162: umask(0);
uwsgi-2.0.28/core/utils.c:162: umask(0);
uwsgi-2.0.31/core/utils.c:162: umask(0);
What exactly did you do (or not do) that was effective (or
ineffective)?
(partial?) Work-around? Haven't fully tested,
but looks like if the PID file already exists, it won't
change permissions on the file, so I'll likely implement a
local work-around in the /etc/init.d/mailman3-web file.
Also, unconfirmed, but folks using systemd might not bump
into this issue, but regardless, the security issue would
appear to still be present in src:uwsgi uwsgi-core
and given the umask(0) in src:uwsgi, there may possibly be
additional security issues/risks.
Looking at recursive rdepends for uwsgi-core it's
possible/likely security issue(s) may also be exposed via
other packages.
What was the outcome of this action?
Existing does or may fail to properly stop due to insecure
PID file, and insecure PID file is also security issue.
Insecure umask may also have other risks, etc.
Work-arounds may be effective, those using systemd
might also not encounter this issue.
What outcome did you expect instead?
Was expecting PID file to be sufficiently secure,
and nominal stop actions to run successfully.
Note also: system is almost entirely Debian 13 stable
trixie, but at present still have some packages pinned to
Debian 12 oldstable bookworm, notably as some mailman3-web
related packages very seriously failed to work on Debian 13
when upgraded. Have been whittling it down as feasible,
but at present only and exactly these packages are pinned
(Pin-Priority 995) to bookworm{,-{updates,security}}:
mailman3-web python3-django python3-django-allauth
python3-django-compressor python3-django-extensions
python3-django-hyperkitty python3-django-mailman3
python3-django-postorius python3-djangorestframework
python3-mistune uwsgi-core uwsgi-plugin-python3
Note also: until quite recently system was on systemd,
but very recently switched to sysvinit due to unrelated
systemd issues upon Debian 12 --> 13 upgrade (notably
systemd grossly failed to properly initialized network - had
been fine on 12, but not at all on 13, removed systemd and
went to sysvinit, then all the networking was fine again).
In addition to system described below,
same issue seen/reproduced on others.
Appears in common to be src:uwsgi uwsti-core,
and systemd may mask (but not eliminate) the issue.
-- System Information:
Debian Release: 13.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (300, 'oldstable-updates'), (300, 'oldstable-security'), (300,
'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.73+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968)
(ignored: LC_ALL set to C), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Thank you very much for your attention to this and all your
work on Debian!
--- End Message ---
--- Begin Message ---
Source: uwsgi
Source-Version: 2.0.31-3
Done: Alexandre Rossi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexandre Rossi <[email protected]> (supplier of updated uwsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Feb 2026 18:17:03 +0100
Source: uwsgi
Architecture: source
Version: 2.0.31-3
Distribution: unstable
Urgency: medium
Maintainer: uWSGI packaging team <[email protected]>
Changed-By: Alexandre Rossi <[email protected]>
Closes: 934731 1128380
Changes:
uwsgi (2.0.31-3) unstable; urgency=medium
.
* -dbgsym migration now done
* uwsgi-extra is Multi-Arch foreign
* autopkgtest: fix test_mountpoints not run
* fix pidfile default permissions (Closes: #934731, #1128380)
Checksums-Sha1:
72d2b3e87661d21a795d8c603e580ab14c4d7d11 3453 uwsgi_2.0.31-3.dsc
2ab3d3757c9a0a8cdcc6fd176f9fc9de82179488 57316 uwsgi_2.0.31-3.debian.tar.xz
c0fcbcff4b2fe46499f90f8fa2b716e94b131b75 17396 uwsgi_2.0.31-3_amd64.buildinfo
Checksums-Sha256:
ea7b019ae9adebcfb6217bfb97d93fe1f035d15f05a61f58a716db22e76c32fc 3453
uwsgi_2.0.31-3.dsc
c5fe6cd3d6264e715e1c8578d8491106a89e924f87b7edbca13a01e72cf69f48 57316
uwsgi_2.0.31-3.debian.tar.xz
9197f492b1feb8246911d38dce38cc9a33d75a0e8572a1da004339b0e7c39ecd 17396
uwsgi_2.0.31-3_amd64.buildinfo
Files:
28e733246cdee56097c0dd2a0f982ee4 3453 httpd optional uwsgi_2.0.31-3.dsc
67782ede4e7b92efddbc29657af79d55 57316 httpd optional
uwsgi_2.0.31-3.debian.tar.xz
2728e5901e4d8f0addff140080b23e01 17396 httpd optional
uwsgi_2.0.31-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmmrNaYWHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICO/gD/9aDBJydVT4gPRdLAP+4lnfbskr
oEyILWUlrcMxr+6GKDcX9ym0CYh+AGLkcqcQ6RatTJw33iXmy80iahT5IUjSXrVf
592qGcR9lHByURQOGeJQvA/QP3clV5f6XP3tdp0WiXkwSO328ypIKrCMC/rrmvz7
kCa8yBfE9U6Juki0ZvYo3ct2JJsbGFhUnMsssjN5mdcOjBYv8Z4mUWmBg3sFJHrK
Potr9EbloxROdQH2m6hpy7Iop13mxXx2oT+p9QYakDyhpHZn1hIMIbtGIQ4NpnSj
DCIERyLuo9IwWw422syd73a16v84ozysZll6xttM4BML233yH9764pAqZbHK7hwe
vwo1h/obADkwTriBahjY1TG8F5tSXdk3w/TKIN1bDTw4sG1CulVob3o9d9rzd8ma
IC9tkR8mf1tFLvqwkr6+Uh4AfGij9XP0Alu0eX8MJf7c8U9oII42WfuBovaTNXn4
MK881OGx/fxT5we3j4ncdYuaVc/8E+OFI+R1pUVmjv+BOF/HN/kXFvvlvP7aaMrc
n2wOm5rfQWvDeumZCXlRtwJgG5ZZXGYhUj1p8c3ynlBoUfzyvBLpcwxye6vjTlwE
UVzduvPz1DpVjwRn8zbhS04Etn4lpEKqW2rqayZpmul2JbrfgAeuVOko7iRz8e5t
mmo5yLRVs+2d1UP7LQ==
=Z5xe
-----END PGP SIGNATURE-----
pgpE1QzAzyMOv.pgp
Description: PGP signature
--- End Message ---
