Your message dated Sun, 03 Jul 2005 07:02:24 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#316714: fixed in phpwiki 1.3.7-4 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 3 Jul 2005 09:08:05 +0000 >From [EMAIL PROTECTED] Sun Jul 03 02:08:05 2005 Return-path: <[EMAIL PROTECTED]> Received: from sasquatch.hezmatt.org [70.85.129.92] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Dp0SL-00089L-00; Sun, 03 Jul 2005 02:08:05 -0700 Received: from [10.6.66.6] (helo=gryphon.hezmatt.org) by sasquatch.hezmatt.org with esmtp (Exim 3.35 #1 (Debian)) id 1Dp0Rm-0002ZG-00 for <[EMAIL PROTECTED]>; Sun, 03 Jul 2005 19:07:30 +1000 Received: from mpalmer by gryphon.hezmatt.org with local (Exim 3.34 #1 (Debian)) id 1Dp0Ro-0000Bs-00 for <[EMAIL PROTECTED]>; Sun, 03 Jul 2005 19:07:32 +1000 Date: Sun, 3 Jul 2005 19:07:32 +1000 From: Matthew Palmer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: XMLRPC vulnerability Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline X-Debbugs-Cc: [EMAIL PROTECTED] User-Agent: Mutt/1.5.9i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: phpwiki Tags: security Severity: serious Just got this through the PHPWiki list. I'm going to pull xmlrpc.inc as suggested. I pulled the package from Sarge because I didn't think it was releasable, so there's no need to go through a full DSA cycle. Just keeping the security team in the loop. ----- Forwarded message from Reini Urban <[EMAIL PROTECTED]> ----- =46rom: Reini Urban <[EMAIL PROTECTED]> To: phpwiki <[EMAIL PROTECTED]> Date: Sun, 03 Jul 2005 09:04:06 +0200 Subject: XMLRPC vulnerability security advise The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using=20 is easily exploitable. The updated version xmlrpc-1.1 from the website=20 even contains the exploit code, so it's very likely that you webserver=20 will get "rooted" in the next week if your using phpwiki-1.3.4 or later. See http://phpxmlrpc.sourceforge.net/ and http://www.gulftech.org/?node=3Dresearch&article_id=3D00088-07022005 The updated xmlrpc-1.1 version doesn't work out of the box and will=20 require one more day to be fixed. If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later=20 than 2005-01-05 AND you are using the native PECL xmlrpc extension by=20 Dan Libby you are on the safe side and forget this issue. Check your=20 phpinfo() if the xmlrpc extension is loaded. phpwiki from 2005-01-05 on checks the existance and does not use the=20 exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC. If you are affected please remove lib/XMLRPC/xmlrpc.inc ASAP or rename it. Note: It's extremely unfair from the phpxmlrpc maintainers to add the exploit=20 code to the fixed library without any grace period! Usual it is one=20 week, but one ot two days would have been enough also. I'm stronlgy considering removing this horribly written library from=20 phpwiki and just rely on the stable and fast PECL extension by Dan=20 Libby, which also supports SOAP. --=20 Reini Urban http://phpwiki.org/ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies =66rom IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick --=20 Phpwiki-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/phpwiki-talk ----- End forwarded message ----- --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCx6rUBEnrTWk1E4cRAt5LAJ9Eqkt0pI/JqEkygIBMa6uT2q1t/QCfWQMW p7FRRgmikoR5xOmbQNEzBAs= =PS+h -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- --------------------------------------- Received: (at 316714-close) by bugs.debian.org; 3 Jul 2005 11:08:02 +0000 >From [EMAIL PROTECTED] Sun Jul 03 04:08:02 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Dp2KQ-0003T4-00; Sun, 03 Jul 2005 04:08:02 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1Dp2Ey-0006ij-00; Sun, 03 Jul 2005 07:02:24 -0400 From: Matthew Palmer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#316714: fixed in phpwiki 1.3.7-4 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Sun, 03 Jul 2005 07:02:24 -0400 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: phpwiki Source-Version: 1.3.7-4 We believe that the bug you reported is fixed in the latest version of phpwiki, which is due to be installed in the Debian FTP archive: phpwiki_1.3.7-4.diff.gz to pool/main/p/phpwiki/phpwiki_1.3.7-4.diff.gz phpwiki_1.3.7-4.dsc to pool/main/p/phpwiki/phpwiki_1.3.7-4.dsc phpwiki_1.3.7-4_all.deb to pool/main/p/phpwiki/phpwiki_1.3.7-4_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthew Palmer <[EMAIL PROTECTED]> (supplier of updated phpwiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 3 Jul 2005 19:06:58 +1000 Source: phpwiki Binary: phpwiki Architecture: source all Version: 1.3.7-4 Distribution: unstable Urgency: low Maintainer: Debian QA Group <[EMAIL PROTECTED]> Changed-By: Matthew Palmer <[EMAIL PROTECTED]> Description: phpwiki - An informal collaborative website manager Closes: 316714 Changes: phpwiki (1.3.7-4) unstable; urgency=low . * Orphaned, as I have little to no interest in the use or maintenance of PHPWiki any longer (See #299146). * Fixed a couple of brace-expansion issues to clear an FTBFS when /bin/sh == dash. * Removed xmlrpc.inc to prevent the possibility of compromised due to a security vulnerability in the XMLRPC library code. Use the PECL module if you want XMLRPC functionality. Closes: #316714. Files: 5039e2b43e93b1df21fdc332c6d85bdc 585 web optional phpwiki_1.3.7-4.dsc a88dea8e9310286d5164a89e6a01e886 33327 web optional phpwiki_1.3.7-4.diff.gz d57bf54ed7f7600e6ba72a826d4166c3 1257930 web optional phpwiki_1.3.7-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCx8GXBEnrTWk1E4cRApreAKCntdm9tBw8586C5IjR83ggCaai3QCdG2t1 Xa14mIESDBI0g3wSGf3va5A= =t0To -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]