Package: didiwiki Version: 0.5-11 Tags: patch + pending Severity: critical A user has privately sent me a security patch for the didiwiki package, that I maintain. The current installation allows any of the system's the user to access any file on the filesystem. To reproduce it: ---- apt-get install didiwiki
curl http://localhost:8000/api/page/get?page=/etc/passwd ---- A patch was also provided by Alexander Izmailov, and will be applied in the upcoming update. Thank you for that! A CVE request has been requested. The Debian security team has been notified too. A version correcting this error will be uploaded soon. Ignace M
