Your message dated Sun, 03 Jul 2005 07:02:24 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#316714: fixed in phpwiki 1.3.7-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Jul 2005 09:08:05 +0000
>From [EMAIL PROTECTED] Sun Jul 03 02:08:05 2005
Return-path: <[EMAIL PROTECTED]>
Received: from sasquatch.hezmatt.org [70.85.129.92]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dp0SL-00089L-00; Sun, 03 Jul 2005 02:08:05 -0700
Received: from [10.6.66.6] (helo=gryphon.hezmatt.org)
by sasquatch.hezmatt.org with esmtp (Exim 3.35 #1 (Debian))
id 1Dp0Rm-0002ZG-00
for <[EMAIL PROTECTED]>; Sun, 03 Jul 2005 19:07:30 +1000
Received: from mpalmer by gryphon.hezmatt.org with local (Exim 3.34 #1 (Debian))
id 1Dp0Ro-0000Bs-00
for <[EMAIL PROTECTED]>; Sun, 03 Jul 2005 19:07:32 +1000
Date: Sun, 3 Jul 2005 19:07:32 +1000
From: Matthew Palmer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: XMLRPC vulnerability
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU"
Content-Disposition: inline
X-Debbugs-Cc: [EMAIL PROTECTED]
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: phpwiki
Tags: security
Severity: serious
Just got this through the PHPWiki list. I'm going to pull xmlrpc.inc as
suggested. I pulled the package from Sarge because I didn't think it was
releasable, so there's no need to go through a full DSA cycle. Just keeping
the security team in the loop.
----- Forwarded message from Reini Urban <[EMAIL PROTECTED]> -----
=46rom: Reini Urban <[EMAIL PROTECTED]>
To: phpwiki <[EMAIL PROTECTED]>
Date: Sun, 03 Jul 2005 09:04:06 +0200
Subject: XMLRPC vulnerability security advise
The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using=20
is easily exploitable. The updated version xmlrpc-1.1 from the website=20
even contains the exploit code, so it's very likely that you webserver=20
will get "rooted" in the next week if your using phpwiki-1.3.4 or later.
See http://phpxmlrpc.sourceforge.net/
and http://www.gulftech.org/?node=3Dresearch&article_id=3D00088-07022005
The updated xmlrpc-1.1 version doesn't work out of the box and will=20
require one more day to be fixed.
If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later=20
than 2005-01-05 AND you are using the native PECL xmlrpc extension by=20
Dan Libby you are on the safe side and forget this issue. Check your=20
phpinfo() if the xmlrpc extension is loaded.
phpwiki from 2005-01-05 on checks the existance and does not use the=20
exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.
If you are affected please remove lib/XMLRPC/xmlrpc.inc ASAP or rename it.
Note:
It's extremely unfair from the phpxmlrpc maintainers to add the exploit=20
code to the fixed library without any grace period! Usual it is one=20
week, but one ot two days would have been enough also.
I'm stronlgy considering removing this horribly written library from=20
phpwiki and just rely on the stable and fast PECL extension by Dan=20
Libby, which also supports SOAP.
--=20
Reini Urban
http://phpwiki.org/
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
=66rom IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick
--=20
Phpwiki-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
----- End forwarded message -----
--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCx6rUBEnrTWk1E4cRAt5LAJ9Eqkt0pI/JqEkygIBMa6uT2q1t/QCfWQMW
p7FRRgmikoR5xOmbQNEzBAs=
=PS+h
-----END PGP SIGNATURE-----
--EeQfGwPcQSOJBaQU--
---------------------------------------
Received: (at 316714-close) by bugs.debian.org; 3 Jul 2005 11:08:02 +0000
>From [EMAIL PROTECTED] Sun Jul 03 04:08:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dp2KQ-0003T4-00; Sun, 03 Jul 2005 04:08:02 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Dp2Ey-0006ij-00; Sun, 03 Jul 2005 07:02:24 -0400
From: Matthew Palmer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#316714: fixed in phpwiki 1.3.7-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 03 Jul 2005 07:02:24 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: phpwiki
Source-Version: 1.3.7-4
We believe that the bug you reported is fixed in the latest version of
phpwiki, which is due to be installed in the Debian FTP archive:
phpwiki_1.3.7-4.diff.gz
to pool/main/p/phpwiki/phpwiki_1.3.7-4.diff.gz
phpwiki_1.3.7-4.dsc
to pool/main/p/phpwiki/phpwiki_1.3.7-4.dsc
phpwiki_1.3.7-4_all.deb
to pool/main/p/phpwiki/phpwiki_1.3.7-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthew Palmer <[EMAIL PROTECTED]> (supplier of updated phpwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 3 Jul 2005 19:06:58 +1000
Source: phpwiki
Binary: phpwiki
Architecture: source all
Version: 1.3.7-4
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <[EMAIL PROTECTED]>
Changed-By: Matthew Palmer <[EMAIL PROTECTED]>
Description:
phpwiki - An informal collaborative website manager
Closes: 316714
Changes:
phpwiki (1.3.7-4) unstable; urgency=low
.
* Orphaned, as I have little to no interest in the use or maintenance of
PHPWiki any longer (See #299146).
* Fixed a couple of brace-expansion issues to clear an FTBFS when
/bin/sh == dash.
* Removed xmlrpc.inc to prevent the possibility of compromised due to a
security vulnerability in the XMLRPC library code. Use the PECL module
if you want XMLRPC functionality. Closes: #316714.
Files:
5039e2b43e93b1df21fdc332c6d85bdc 585 web optional phpwiki_1.3.7-4.dsc
a88dea8e9310286d5164a89e6a01e886 33327 web optional phpwiki_1.3.7-4.diff.gz
d57bf54ed7f7600e6ba72a826d4166c3 1257930 web optional phpwiki_1.3.7-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCx8GXBEnrTWk1E4cRApreAKCntdm9tBw8586C5IjR83ggCaai3QCdG2t1
Xa14mIESDBI0g3wSGf3va5A=
=t0To
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
