-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
excellent.
Micah, did you manage to reproduce this in the debian package at all?
you see, the debian package is significantly more secure than the
upstream version, and as you've marked it as grave, I presume that you
have found a way to make it
and this bug report can be closed?
Micah
Sven Dowideit wrote:
while I think its very reasonable for you to send along these
advisories, and even doing so as a BTS bug wothout testing them
I think its incredibly rude to do so without saying that you have not
tested it out.
please, if you enter
I'm sorry, but I cannot re-produce this. and when testing your suggested
change, I get other errors in my log.
is there any more information you can give me?
(what topics, what kind of changes, which particular diffs link)
Sven
On Mon, 2005-05-02 at 07:01 -0400, [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
why are you running a totally outdated twiki package?
http://packages.debian.org/unstable/web/twiki only lists 20040902-3, in
which this problem has been solved using the robustness patch from
Florian Weimer [EMAIL PROTECTED]
Cheers
Sven
Paul
On Sat, May 07, 2005 at 07:15:29PM +1000, Sven Dowideit wrote:
I'm sorry, but I cannot re-produce this. and when testing your suggested
change, I get other errors in my log.
is there any more information you can give me?
(what topics, what kind of changes, which particular diffs
its stuff like this that just keeps depressing me into not finishing the
work i do packaging twiki for debian.
your officiousness is a joy, ta.
same sort of thing as when just before the last debian release came out,
and some one helpfully filed an un-reproducible RC bug, that didn't
happen for
i can.
Sven
On 04/11/2006, at 3:52 AM, Antony Gelberg wrote:
I haven't cc'd the bug 367973 that this comes from - Steve if you
want the background please see http://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=367973 and http://bugs.debian.org/twiki.
Sven Dowideit:
its stuff like
ah, good find.
Ardo and Christian,
If I make an update to the 4.1.2 package, fixing this, and a couple of
other issues that I've been told about in the next 48 days, would one of
you be willing to upload it for me so it gets into Lenny?
Sven
Dmitry E. Oboukhov wrote:
Package: twiki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guys,
I'd need a second opinion on this report please.
My recollection was that we squashed this in Bug#444982
If not, is there any chance that automated tool users are at least
required to help out with a bit more information that the alarmist
, including pollution the
perl lib dirs) so that TWiki people stop being totally confused by the
setup :/
Sven
Nico Golde wrote:
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2008-08-13 11:05]:
I'd need a second opinion on this report please.
My recollection was that we squashed this in Bug#444982
for the version that is going into
lenny - I'll close it as soon as i can find the docco for howto do that :/
Sven
Steve Kemp wrote:
On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
I will have to assume that this report is indeed incorrect unless I hear
otherwise.
On my
the hell out of them.
Nico Golde wrote:
Hi Olivier,
* Olivier Berger [EMAIL PROTECTED] [2008-08-13 12:53]:
Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
[...]
I'm hoping for the next release that I can move everything into
/var/twiki (rather than scattered around the fs
Nico's point
wrt to filling /var
Sven
Olivier Berger wrote:
Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
Nico,
/var/run - I'll keep that in mind for post lenny - I was really hoping
that debian had a place for this sort of session data, but didn't manage
to get
It has been closed by Sven Dowideit [EMAIL PROTECTED].
DBTS Their explanation is attached below along with your original report.
DBTS If this explanation is unsatisfactory and you have not received a
DBTS better one in a separate message then please contact Sven Dowideit
[EMAIL PROTECTED] by
DBTS
no, its got nothing to do with /var/lib/twiki/data etc, its the location
for session data - produced by CGI::Session etc.
Olivier Berger wrote:
Le mercredi 13 août 2008 à 11:12 +0100, Steve Kemp a écrit :
On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:
I know that I can coerce
so Dmitry,
if you were trying to actually help get this fixed, I presume you would
have suggested that I just patch the code to
rm /tmp/twiki
and then create it?
or what are you actually suggesting?
Sven
Dmitry E. Oboukhov wrote:
Where?
$curl
these are _WEB_ session files.
there are no user directories.
Dmitry E. Oboukhov wrote:
SD so Dmitry,
SD if you were trying to actually help get this fixed, I presume you would
SD have suggested that I just patch the code to
SD rm /tmp/twiki
SD and then create it?
SD or what are you
So are you suggesting that I instead fill up /tmp directly with
thousands of cgisess_123412 files?
because the location that those files go into needs to be predictable -
so that each cgi script goes to the same place.
Julien Cristau wrote:
On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven
No, I was told by Nico or Joey that web apps should not be filling up
the /var filesystem with session files.
this is apparently also _not_ a solution.
/tmp was determined in October 2007 as the best place
Dmitry E. Oboukhov wrote:
On 00:17 Thu 14 Aug , Sven Dowideit wrote:
SD
Yes, you should not share CGI::Session files, it does lead to leakage,
and really odd side effects.
Olivier Berger wrote:
Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit :
On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote:
so Dmitry,
if you were trying to actually
Dmitry E. Oboukhov wrote:
On 00:38 Thu 14 Aug , Sven Dowideit wrote:
SD No, I was told by Nico or Joey that web apps should not be filling up
SD the /var filesystem with session files.
SD this is apparently also _not_ a solution.
SD /tmp was determined in October 2007 as the best
how would this would be different from ?
Debian Bug report logs - #468159
twiki: Redirect after Template Login failes
Olivier Berger wrote:
On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote:
the best irony of this bug, is :
I've implemented Joey's suggestion of 1777 O_EXCL
similar to the change I have just coded and tested :)
thanks
Dmitry E. Oboukhov wrote:
tags 494648 patch
thanks
Hi, Sven
see my patch, please
--
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ardo, Christian ..
I've just put an updated version of the twiki package at
http://distributedinformation.com/TWikiDebian/
that fixes both the security flaw Dmitry found, and a few other bad
oddities.
Could one of you by any chance take a look at
:)
Sven
Olivier Berger wrote:
Hi.
Haven't had a chance to look at the updated package yet (will try
today), but I think it may be better to acknowledge previous NMUs
explicitely in the changelog.
Hope this helps,
Best regards,
Le jeudi 14 août 2008 à 19:03 +1000, Sven Dowideit
://lists.debian.org/debian-devel/2008/08/msg00340.html
Feel free to comment anyway ;)
Best regards,
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven
upload it for me so it can go into Lenny?
Sven
Vincent Bernat wrote:
OoO Pendant le temps de midi du samedi 16 août 2008, vers 12:36, Sven
Dowideit [EMAIL PROTECTED] disait :
frustratingly, I'm not a DD
and Worse. I have an emergency update to TWiki for a security issue that
needs
ah, thanks :)
do I need to find and contact (and bribe with beer?) someone to
'convince release-manager'?
Sven
Vincent Bernat wrote:
OoO En ce début d'après-midi ensoleillé du dimanche 24 août 2008, vers
15:33, Sven Dowideit [EMAIL PROTECTED] disait :
I've finally placed a new twiki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was hoping to have time for this today, but it seems not to be.
I would suggest using 'TWiki Configure User Password' and setting the
configure save pwd to the same thing. (and making the username for it
'admin')
That way it will not need to
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue. no-one on the security team suggested it was
either, leading me to believe that we had a consensus.
Sven
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags:
Also, the patch was found, by you to be defective. So I was expecting to
see another round.
Olivier Berger wrote:
Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole
In current state of the Debian package, if nothing is changed manually to the
+1000, Sven Dowideit a écrit :
odd,
I'm under the impression that I did respond, and indicated taht I don't
see it as a major issue.
OK, here I strongly disagree.
You say you don't see as a major issue that anyone on the Internet can
access and change a TWiki instance's configuration
. As usual, it comes with an offer
to NMU the package.
Regards, Frank
--
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
files which have their
own uniqued filename.
and so, I think you are in error, and need to read the code a little
before you make assertions like this.
Sven
On Sun, 2007-10-21 at 12:26 +0200, Nico Golde wrote:
Hi Sven,
* Sven Dowideit [EMAIL PROTECTED] [2007-10-21 11:57]:
ok, following
explaining, but rather continue explaining in a
friendly way.
Sven, please ignore Nicos tone and have a look at
http://en.wikipedia.org/wiki/Symlink_race :-)
Thanks regards happy hacking,
Holger
--
Professional Wiki Innovation and Support
Sven Dowideit - http
security is a crock :(
Do you have any suggestions (other than re-writing TWiki?) or should I
just disable that funcionality and run away?
Sven
On Tue, 2007-10-23 at 16:45 -0400, Joey Hess wrote:
Sven Dowideit wrote:
the working/tmp dir is used for rcs tmp files, and twiki session files
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
Sven
On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote:
Sven Dowideit wrote:
neat summary Joey :)
The reason that I made it world writeable
to
filling /var
and fixed a few other bitzers
I've reported the issue upstream so we can look at doing a more lasting change
for the next release.
Sven
On Fri, 2007-10-26 at 16:57 +1000, Sven Dowideit wrote:
ok, I'll implement this on the w/e, and push it into the upcoming 4.2
release
Sadly, the upstream fix doesn't address the root cause of the url
parameter problem (and we've reported to them at least one exploit that
is unfixed by their patch), and I'm working on the Foswiki fork of
twiki, which is addressing the security issues we know about in what I
consider a more
39 matches
Mail list logo
