Bug#367973: twiki: CVE-2006-1387: DoS with INCLUDE
Hi, it's 135 days since the bug report was filed, it has a patch attached, it is a bug classified as 'serious', still I see no progress.. I don't want to hurt anyone, but with this approach I fear that TWiki will miss the next stable release as well.. :-( I can offer some help if you accept it (I'm not a DM, but a Debian and TWiki user, and has some Perl programming experience). Can you send me some update regarding the situation, please? norbi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#367973: twiki: CVE-2006-1387: DoS with INCLUDE
CVE-2006-1387: TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote authenticated users with edit rights to cause a denial of service (infinite recursion leading to CPU and memory consumption) via INCLUDE by URL statements that form a loop, such as a page that includes itself. I could look into fixing this, but since twiki has: * multiple open security issues without any maintainer response for many months now, * plus no maintainer response to the majority of the other open bugs, * trivial things not fixed, * never been part of a stable release, the best is to just remove it from testing. I'm cc'ing MIA since the maintainer doesn't have any visible activity for over a year. signature.asc Description: This is a digitally signed message part
Bug#367973: twiki: CVE-2006-1387: DoS with INCLUDE
its stuff like this that just keeps depressing me into not finishing the work i do packaging twiki for debian. your officiousness is a joy, ta. same sort of thing as when just before the last debian release came out, and some one helpfully filed an un-reproducible RC bug, that didn't happen for anyone else, but no debian developer came out to help. you guys really truly don't want help from people outside your klic do you. Thijs Kinkhorst wrote: CVE-2006-1387: TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote authenticated users with edit rights to cause a denial of service (infinite recursion leading to CPU and memory consumption) via INCLUDE by URL statements that form a loop, such as a page that includes itself. I could look into fixing this, but since twiki has: * multiple open security issues without any maintainer response for many months now, * plus no maintainer response to the majority of the other open bugs, * trivial things not fixed, * never been part of a stable release, the best is to just remove it from testing. I'm cc'ing MIA since the maintainer doesn't have any visible activity for over a year. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]