* Dmitrijs Ledkovs dmitrij.led...@ubuntu.com, 2010-12-10, 01:25:
I have tested this by running calendarserver with without new patch
and I can add/retrieve calendar events over the network using
thunderbird-lightning.
The new patch looks good. I'll upload Dmitrijs' NMU shortly (with
Processing commands for cont...@bugs.debian.org:
tags 605157 + patch
Bug #605157 [calendarserver] calendarserver: Use of PYTHONPATH env var in an
insecure way
Bug #605166 [calendarserver] calendarserver: Use of PYTHONPATH env var in an
insecure way
Added tag(s) patch.
Added tag(s) patch.
tags 605157 + patch
thanks
Jakub Wilk jw...@debian.org writes:
tags 605157 - patch
thanks
* Dmitrijs Ledkovs dmitrij.led...@ubuntu.com, 2010-12-03, 22:37:
With my patch applied the resulting /usr/bin/caldavd has:
On Fri, Dec 03, 2010 at 09:45:04PM +, Dmitrijs Ledkovs wrote:
tags 605157 patch
thanks
Dear maintainer,
I've prepared an NMU for calendarserver (versioned as 2.4.dfsg-2.1). I
will seek sponsorship to upload for delayed queue.
If anyone is sponsoring a fixed package, please upload
tags 605157 - patch
thanks
* Dmitrijs Ledkovs dmitrij.led...@ubuntu.com, 2010-12-03, 22:37:
With my patch applied the resulting /usr/bin/caldavd has:
PYTHONPATH=/usr/lib/twisted-calendarserver/lib/python2.6/site-packages/:+:$PYTHONPATH
So if PYTHONPATH was originally empty or unset, this
Processing commands for cont...@bugs.debian.org:
tags 605157 - patch
Bug #605157 [calendarserver] calendarserver: Use of PYTHONPATH env var in an
insecure way
Bug #605166 [calendarserver] calendarserver: Use of PYTHONPATH env var in an
insecure way
Removed tag(s) patch.
Removed tag(s) patch.
tags 605157 patch
thanks
Dear maintainer,
I've prepared an NMU for calendarserver (versioned as 2.4.dfsg-2.1). I
will seek sponsorship to upload for delayed queue.
pgpnKC0OaxJiL.pgp
Description: PGP signature
=== modified file 'debian/changelog'
--- a/debian/changelog 2010-08-25 15:23:37
Hi Dmitrijs,
+@@ -145,7 +145,7 @@
+ line = line.rstrip(\n)
+ if fileType == sh:
+ if line == #PYTHONPATH:
+-script.append('PYTHONPATH=%s:$PYTHONPATH' %
(install_lib,))
++script.append('PYTHONPATH=%s:+:$PYTHONPATH'
Jakub Wilk jw...@debian.org writes:
Hi Dmitrijs,
+@@ -145,7 +145,7 @@
+ line = line.rstrip(\n)
+ if fileType == sh:
+ if line == #PYTHONPATH:
+-script.append('PYTHONPATH=%s:$PYTHONPATH' %
(install_lib,))
++
Jakub Wilk jw...@debian.org writes:
Hi Dmitrijs,
+@@ -145,7 +145,7 @@
+ line = line.rstrip(\n)
+ if fileType == sh:
+ if line == #PYTHONPATH:
+-script.append('PYTHONPATH=%s:$PYTHONPATH' %
(install_lib,))
++
Package: calendarserver
Version: 2.4.dfsg-2
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
11 matches
Mail list logo