Bug#804787: jessie-pu: package servefile/0.4.3-1
On Fri, 2016-01-01 at 18:08 +, Adam D. Barratt wrote: > On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote: > > I attached a new debdiff with a more meaningful changelog. > > > > +servefile (0.4.4-1~deb8u1) jessie; urgency=high > > + > > + * Upstream bugfix release > > + * Fix for path traversal bug in directory listing mode > > + * SSL hardening (prefer TLS1.2/TLS1) > > Thanks. > > + # choose TLS1.2 or TLS1, if available > + sslMethod = None > + if hasattr(SSL, "TLSv1_2_METHOD"): > + sslMethod = SSL.TLSv1_2_METHOD > + elif hasattr(SSL, "TLSv1_METHOD"): > + sslMethod = SSL.TLSv1_METHOD > > Why is TLS1.1 explicitly avoided here? Might it make more sense to > use > TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server > negotiate > the highest mutually-supported protocol? > Ping? The above mail was sent nearly 2.5 years ago, and there's been no follow-up. The window for getting fixes into jessie before it becomes LTS closes during the coming weekend. Regards, Adam
Bug#804787: jessie-pu: package servefile/0.4.3-1
On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote: > I attached a new debdiff with a more meaningful changelog. > > +servefile (0.4.4-1~deb8u1) jessie; urgency=high > + > + * Upstream bugfix release > + * Fix for path traversal bug in directory listing mode > + * SSL hardening (prefer TLS1.2/TLS1) Thanks. + # choose TLS1.2 or TLS1, if available + sslMethod = None + if hasattr(SSL, "TLSv1_2_METHOD"): + sslMethod = SSL.TLSv1_2_METHOD + elif hasattr(SSL, "TLSv1_METHOD"): + sslMethod = SSL.TLSv1_METHOD Why is TLS1.1 explicitly avoided here? Might it make more sense to use TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server negotiate the highest mutually-supported protocol? Regards, Adam
Bug#804787: jessie-pu: package servefile/0.4.3-1
I attached a new debdiff with a more meaningful changelog. +servefile (0.4.4-1~deb8u1) jessie; urgency=high + + * Upstream bugfix release + * Fix for path traversal bug in directory listing mode + * SSL hardening (prefer TLS1.2/TLS1) If this is not detailed enough I could also just copy over the upstream changelog. Christoph also suggested that I attach a git log -p for the changes between v0.4.3 and v0.4.4. Greetings, seba On 11.11.2015 18:53, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On 2015-11-11 16:39, Sebastian Lohff wrote: >> there has been a directory traversal bug in servefile, it was fixed in >> version 0.4.4. I talked to the Debian security team and they said a DSA >> would not be necessary and recommended doing a stable-pu. Therefore >> I'd like to propose an update to 0.4.4 (debdiff attached). > > +servefile (0.4.4-1~deb8u1) jessie; urgency=high > + > + * New upstream version > > That's not really a suitable changelog for an upload to unstable, > particularly one that fixes security issues. It's certainly not suitable > for a stable update. > > The point of a changelog entry is to explain the purpose of the upload. > In this case it is to fix a security problem and some other (specific, > and enumerated in upstream's changelog) issues, not simply because a new > upstream release is available. Please make the changelog indicate what > has actually changed - see > https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-changelog-do > , for example. > > Regards, > > Adam diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog --- servefile-0.4.3/ChangeLog 2013-12-28 01:55:41.0 +0100 +++ servefile-0.4.4/ChangeLog 2015-11-10 21:05:35.0 +0100 @@ -1,6 +1,18 @@ servefile changelog === +2015-11-10 v0.4.4 +- + + 0.4.4 released + + * prefer using TLS1.2/TLS1 with --ssl if available + * issue v3 certificates for self signed certificates with --ssl + * removed lots of unnecessary error output + * fixed a bug where wrong ranges were used on a HEAD request in directory listing mode + * fixed a bug where directory listing mode allowed path traversal + + 2013-12-28 v0.4.3 - diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog --- servefile-0.4.3/debian/changelog2014-08-12 22:11:04.0 +0200 +++ servefile-0.4.4/debian/changelog2015-11-24 17:51:45.0 +0100 @@ -1,3 +1,11 @@ +servefile (0.4.4-1~deb8u1) jessie; urgency=high + + * Upstream bugfix release + * Fix for path traversal bug in directory listing mode + * SSL hardening (prefer TLS1.2/TLS1) + + -- Sebastian LohffTue, 24 Nov 2015 17:44:40 +0100 + servefile (0.4.3-1) unstable; urgency=low * New upstream version diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control --- servefile-0.4.3/debian/control 2014-08-13 00:41:01.0 +0200 +++ servefile-0.4.4/debian/control 2015-11-10 21:27:07.0 +0100 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Sebastian Lohff Build-Depends: debhelper (>= 9.0~), python -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Homepage: http://seba-geek.de/stuff/servefile/ Package: servefile diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO --- servefile-0.4.3/PKG-INFO2013-12-28 02:31:38.0 +0100 +++ servefile-0.4.4/PKG-INFO2015-11-10 21:13:09.0 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: servefile -Version: 0.4.3 +Version: 0.4.4 Summary: Serve files from shell via a small HTTP server Home-page: http://seba-geek.de/stuff/servefile/ Author: Sebastian Lohff diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile --- servefile-0.4.3/servefile 2013-12-28 02:21:57.0 +0100 +++ servefile-0.4.4/servefile 2015-11-10 20:54:36.0 +0100 @@ -7,7 +7,7 @@ from __future__ import print_function -__version__ = '0.4.3' +__version__ = '0.4.4' import argparse import base64 @@ -16,7 +16,6 @@ import mimetypes import urllib import os -import posixpath import re import select import socket @@ -102,7 +101,7 @@ try: fromto[0] = int(fromto[0]) fromto[1] = int(fromto[1]) - except: + except ValueError: return (False, None) if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0: @@ -154,11 +153,7 @@ self.end_headers() block = self.getChunk(myfile, fromto) while block: - try: - self.wfile.write(block) - except socket.error as
Bug#804787: jessie-pu: package servefile/0.4.3-1
Control: tags -1 + moreinfo On 2015-11-11 16:39, Sebastian Lohff wrote: there has been a directory traversal bug in servefile, it was fixed in version 0.4.4. I talked to the Debian security team and they said a DSA would not be necessary and recommended doing a stable-pu. Therefore I'd like to propose an update to 0.4.4 (debdiff attached). +servefile (0.4.4-1~deb8u1) jessie; urgency=high + + * New upstream version That's not really a suitable changelog for an upload to unstable, particularly one that fixes security issues. It's certainly not suitable for a stable update. The point of a changelog entry is to explain the purpose of the upload. In this case it is to fix a security problem and some other (specific, and enumerated in upstream's changelog) issues, not simply because a new upstream release is available. Please make the changelog indicate what has actually changed - see https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-changelog-do , for example. Regards, Adam
Bug#804787: jessie-pu: package servefile/0.4.3-1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, there has been a directory traversal bug in servefile, it was fixed in version 0.4.4. I talked to the Debian security team and they said a DSA would not be necessary and recommended doing a stable-pu. Therefore I'd like to propose an update to 0.4.4 (debdiff attached). Greetings, seba -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog --- servefile-0.4.3/ChangeLog 2013-12-28 01:55:41.0 +0100 +++ servefile-0.4.4/ChangeLog 2015-11-10 21:05:35.0 +0100 @@ -1,6 +1,18 @@ servefile changelog === +2015-11-10 v0.4.4 +- + + 0.4.4 released + + * prefer using TLS1.2/TLS1 with --ssl if available + * issue v3 certificates for self signed certificates with --ssl + * removed lots of unnecessary error output + * fixed a bug where wrong ranges were used on a HEAD request in directory listing mode + * fixed a bug where directory listing mode allowed path traversal + + 2013-12-28 v0.4.3 - diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog --- servefile-0.4.3/debian/changelog 2014-08-12 22:11:04.0 +0200 +++ servefile-0.4.4/debian/changelog 2015-11-11 15:52:59.0 +0100 @@ -1,3 +1,9 @@ +servefile (0.4.4-1~deb8u1) jessie; urgency=high + + * New upstream version + + -- Sebastian LohffTue, 10 Nov 2015 21:22:17 +0100 + servefile (0.4.3-1) unstable; urgency=low * New upstream version diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control --- servefile-0.4.3/debian/control 2014-08-13 00:41:01.0 +0200 +++ servefile-0.4.4/debian/control 2015-11-10 21:27:07.0 +0100 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Sebastian Lohff Build-Depends: debhelper (>= 9.0~), python -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Homepage: http://seba-geek.de/stuff/servefile/ Package: servefile diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO --- servefile-0.4.3/PKG-INFO 2013-12-28 02:31:38.0 +0100 +++ servefile-0.4.4/PKG-INFO 2015-11-10 21:13:09.0 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: servefile -Version: 0.4.3 +Version: 0.4.4 Summary: Serve files from shell via a small HTTP server Home-page: http://seba-geek.de/stuff/servefile/ Author: Sebastian Lohff diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile --- servefile-0.4.3/servefile 2013-12-28 02:21:57.0 +0100 +++ servefile-0.4.4/servefile 2015-11-10 20:54:36.0 +0100 @@ -7,7 +7,7 @@ from __future__ import print_function -__version__ = '0.4.3' +__version__ = '0.4.4' import argparse import base64 @@ -16,7 +16,6 @@ import mimetypes import urllib import os -import posixpath import re import select import socket @@ -102,7 +101,7 @@ try: fromto[0] = int(fromto[0]) fromto[1] = int(fromto[1]) - except: + except ValueError: return (False, None) if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0: @@ -154,11 +153,7 @@ self.end_headers() block = self.getChunk(myfile, fromto) while block: - try: -self.wfile.write(block) - except socket.error as e: -print("%s ABORTED transmission (Reason %s: %s)" % (self.client_address[0], e[0], e[1])) -return False + self.wfile.write(block) block = self.getChunk(myfile, fromto) myfile.close() print("%s finished downloading %s" % (self.client_address[0], filePath)) @@ -310,6 +305,15 @@ """ Send file or directory index, depending on requested path """ path = self.getCleanPath() + # check if path is in current serving directory + currBaseDir = os.path.abspath(self.targetDir) + os.path.sep + requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep + if not requestPath.startswith(currBaseDir): + self.send_response(301) + self.send_header("Location", '/') + self.end_headers() + return + if os.path.isdir(path): if not self.path.endswith('/'): self.send_response(301) @@ -325,7 +329,7 @@ self.end_headers() else: self.send_response(200) - self.sendContentHeaders(self, path, length) + self.sendContentHeaders(path, length) self.end_headers() else: self.sendFile(path, head) @@ -406,7 +410,7 @@ - """ % {'path': posixpath.normpath(urllib.unquote(self.path))} + """ % {'path': os.path.normpath(urllib.unquote(self.path))} footer = """ http://seba-geek.de/stuff/servefile/;>servefile %(version)s @@
Processed: Re: Bug#804787: jessie-pu: package servefile/0.4.3-1
Processing control commands: > tags -1 + moreinfo Bug #804787 [release.debian.org] jessie-pu: package servefile/0.4.3-1 Added tag(s) moreinfo. -- 804787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804787 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems