subject:"Bug#804787\: jessie\-pu\: package servefile\/0.4.3\-1"

Bug#804787: jessie-pu: package servefile/0.4.3-1

2018-06-13 Thread Adam D. Barratt

On Fri, 2016-01-01 at 18:08 +, Adam D. Barratt wrote:
> On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> > I attached a new debdiff with a more meaningful changelog.
> > 
> > +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> > +
> > +  * Upstream bugfix release
> > +  * Fix for path traversal bug in directory listing mode
> > +  * SSL hardening (prefer TLS1.2/TLS1)
> 
> Thanks.
> 
> +   # choose TLS1.2 or TLS1, if available
> +   sslMethod = None
> +   if hasattr(SSL, "TLSv1_2_METHOD"):
> +   sslMethod = SSL.TLSv1_2_METHOD
> +   elif hasattr(SSL, "TLSv1_METHOD"):
> +   sslMethod = SSL.TLSv1_METHOD
> 
> Why is TLS1.1 explicitly avoided here? Might it make more sense to
> use
> TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server
> negotiate
> the highest mutually-supported protocol?
> 

Ping?

The above mail was sent nearly 2.5 years ago, and there's been no
follow-up. The window for getting fixes into jessie before it becomes
LTS closes during the coming weekend.

Regards,

Adam

Bug#804787: jessie-pu: package servefile/0.4.3-1

2016-01-01 Thread Adam D. Barratt

On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> I attached a new debdiff with a more meaningful changelog.
> 
> +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> +
> +  * Upstream bugfix release
> +  * Fix for path traversal bug in directory listing mode
> +  * SSL hardening (prefer TLS1.2/TLS1)

Thanks.

+   # choose TLS1.2 or TLS1, if available
+   sslMethod = None
+   if hasattr(SSL, "TLSv1_2_METHOD"):
+   sslMethod = SSL.TLSv1_2_METHOD
+   elif hasattr(SSL, "TLSv1_METHOD"):
+   sslMethod = SSL.TLSv1_METHOD

Why is TLS1.1 explicitly avoided here? Might it make more sense to use
TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server negotiate
the highest mutually-supported protocol?

Regards,

Adam

Bug#804787: jessie-pu: package servefile/0.4.3-1

2015-11-24 Thread Sebastian Lohff

I attached a new debdiff with a more meaningful changelog.

+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * Upstream bugfix release
+  * Fix for path traversal bug in directory listing mode
+  * SSL hardening (prefer TLS1.2/TLS1)

If this is not detailed enough I could also just copy over the upstream
changelog. Christoph also suggested that I attach a git log -p for the
changes between v0.4.3 and v0.4.4.

Greetings,
seba

On 11.11.2015 18:53, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On 2015-11-11 16:39, Sebastian Lohff wrote:
>> there has been a directory traversal bug in servefile, it was fixed in
>> version 0.4.4. I talked to the Debian security team and they said a DSA
>> would not be necessary and recommended doing a stable-pu. Therefore
>> I'd like to propose an update to 0.4.4 (debdiff attached).
> 
> +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> +
> +  * New upstream version
> 
> That's not really a suitable changelog for an upload to unstable,
> particularly one that fixes security issues. It's certainly not suitable
> for a stable update.
> 
> The point of a changelog entry is to explain the purpose of the upload.
> In this case it is to fix a security problem and some other (specific,
> and enumerated in upstream's changelog) issues, not simply because a new
> upstream release is available. Please make the changelog indicate what
> has actually changed - see
> https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-changelog-do
> , for example.
> 
> Regards,
> 
> Adam

diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog
--- servefile-0.4.3/ChangeLog   2013-12-28 01:55:41.0 +0100
+++ servefile-0.4.4/ChangeLog   2015-11-10 21:05:35.0 +0100
@@ -1,6 +1,18 @@
 servefile changelog
 ===
 
+2015-11-10 v0.4.4
+-
+
+   0.4.4 released
+
+   * prefer using TLS1.2/TLS1 with --ssl if available
+   * issue v3 certificates for self signed certificates with --ssl
+   * removed lots of unnecessary error output
+   * fixed a bug where wrong ranges were used on a HEAD request in 
directory listing mode
+   * fixed a bug where directory listing mode allowed path traversal
+
+
 2013-12-28 v0.4.3
 -
 
diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog
--- servefile-0.4.3/debian/changelog2014-08-12 22:11:04.0 +0200
+++ servefile-0.4.4/debian/changelog2015-11-24 17:51:45.0 +0100
@@ -1,3 +1,11 @@
+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * Upstream bugfix release
+  * Fix for path traversal bug in directory listing mode
+  * SSL hardening (prefer TLS1.2/TLS1)
+
+ -- Sebastian Lohff   Tue, 24 Nov 2015 17:44:40 +0100
+
 servefile (0.4.3-1) unstable; urgency=low
 
   * New upstream version
diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control
--- servefile-0.4.3/debian/control  2014-08-13 00:41:01.0 +0200
+++ servefile-0.4.4/debian/control  2015-11-10 21:27:07.0 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Sebastian Lohff 
 Build-Depends: debhelper (>= 9.0~), python
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Homepage: http://seba-geek.de/stuff/servefile/
 
 Package: servefile
diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO
--- servefile-0.4.3/PKG-INFO2013-12-28 02:31:38.0 +0100
+++ servefile-0.4.4/PKG-INFO2015-11-10 21:13:09.0 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: servefile
-Version: 0.4.3
+Version: 0.4.4
 Summary: Serve files from shell via a small HTTP server
 Home-page: http://seba-geek.de/stuff/servefile/
 Author: Sebastian Lohff
diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile
--- servefile-0.4.3/servefile   2013-12-28 02:21:57.0 +0100
+++ servefile-0.4.4/servefile   2015-11-10 20:54:36.0 +0100
@@ -7,7 +7,7 @@
 
 from __future__ import print_function
 
-__version__ = '0.4.3'
+__version__ = '0.4.4'
 
 import argparse
 import base64
@@ -16,7 +16,6 @@
 import mimetypes
 import urllib
 import os
-import posixpath
 import re
 import select
 import socket
@@ -102,7 +101,7 @@
try:
fromto[0] = int(fromto[0])
fromto[1] = int(fromto[1])
-   except:
+   except ValueError:
return (False, None)
 
if fromto[0] >= fileLength or fromto[0] 
< 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0:
@@ -154,11 +153,7 @@
self.end_headers()
block = self.getChunk(myfile, fromto)
while block:
-   try:
-   self.wfile.write(block)
-   except socket.error as

Bug#804787: jessie-pu: package servefile/0.4.3-1

2015-11-11 Thread Adam D. Barratt


Control: tags -1 + moreinfo

On 2015-11-11 16:39, Sebastian Lohff wrote:

there has been a directory traversal bug in servefile, it was fixed in
version 0.4.4. I talked to the Debian security team and they said a DSA
would not be necessary and recommended doing a stable-pu. Therefore
I'd like to propose an update to 0.4.4 (debdiff attached).


+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * New upstream version

That's not really a suitable changelog for an upload to unstable, 
particularly one that fixes security issues. It's certainly not suitable 
for a stable update.


The point of a changelog entry is to explain the purpose of the upload. 
In this case it is to fix a security problem and some other (specific, 
and enumerated in upstream's changelog) issues, not simply because a new 
upstream release is available. Please make the changelog indicate what 
has actually changed - see 
https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-changelog-do 
, for example.


Regards,

Adam

Bug#804787: jessie-pu: package servefile/0.4.3-1

2015-11-11 Thread Sebastian Lohff

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

there has been a directory traversal bug in servefile, it was fixed in
version 0.4.4. I talked to the Debian security team and they said a DSA
would not be necessary and recommended doing a stable-pu. Therefore
I'd like to propose an update to 0.4.4 (debdiff attached).

Greetings,
seba

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog
--- servefile-0.4.3/ChangeLog	2013-12-28 01:55:41.0 +0100
+++ servefile-0.4.4/ChangeLog	2015-11-10 21:05:35.0 +0100
@@ -1,6 +1,18 @@
 servefile changelog
 ===
 
+2015-11-10 v0.4.4
+-
+
+	0.4.4 released
+
+	* prefer using TLS1.2/TLS1 with --ssl if available
+	* issue v3 certificates for self signed certificates with --ssl
+	* removed lots of unnecessary error output
+	* fixed a bug where wrong ranges were used on a HEAD request in directory listing mode
+	* fixed a bug where directory listing mode allowed path traversal
+
+
 2013-12-28 v0.4.3
 -
 
diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog
--- servefile-0.4.3/debian/changelog	2014-08-12 22:11:04.0 +0200
+++ servefile-0.4.4/debian/changelog	2015-11-11 15:52:59.0 +0100
@@ -1,3 +1,9 @@
+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * New upstream version
+
+ -- Sebastian Lohff   Tue, 10 Nov 2015 21:22:17 +0100
+
 servefile (0.4.3-1) unstable; urgency=low
 
   * New upstream version
diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control
--- servefile-0.4.3/debian/control	2014-08-13 00:41:01.0 +0200
+++ servefile-0.4.4/debian/control	2015-11-10 21:27:07.0 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Sebastian Lohff 
 Build-Depends: debhelper (>= 9.0~), python
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Homepage: http://seba-geek.de/stuff/servefile/
 
 Package: servefile
diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO
--- servefile-0.4.3/PKG-INFO	2013-12-28 02:31:38.0 +0100
+++ servefile-0.4.4/PKG-INFO	2015-11-10 21:13:09.0 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: servefile
-Version: 0.4.3
+Version: 0.4.4
 Summary: Serve files from shell via a small HTTP server
 Home-page: http://seba-geek.de/stuff/servefile/
 Author: Sebastian Lohff
diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile
--- servefile-0.4.3/servefile	2013-12-28 02:21:57.0 +0100
+++ servefile-0.4.4/servefile	2015-11-10 20:54:36.0 +0100
@@ -7,7 +7,7 @@
 
 from __future__ import print_function
 
-__version__ = '0.4.3'
+__version__ = '0.4.4'
 
 import argparse
 import base64
@@ -16,7 +16,6 @@
 import mimetypes
 import urllib
 import os
-import posixpath
 import re
 import select
 import socket
@@ -102,7 +101,7 @@
 	try:
 		fromto[0] = int(fromto[0])
 		fromto[1] = int(fromto[1])
-	except:
+	except ValueError:
 		return (False, None)
 
 	if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0:
@@ -154,11 +153,7 @@
 		self.end_headers()
 		block = self.getChunk(myfile, fromto)
 		while block:
-			try:
-self.wfile.write(block)
-			except socket.error as e:
-print("%s ABORTED transmission (Reason %s: %s)" % (self.client_address[0], e[0], e[1]))
-return False
+			self.wfile.write(block)
 			block = self.getChunk(myfile, fromto)
 		myfile.close()
 		print("%s finished downloading %s" % (self.client_address[0], filePath))
@@ -310,6 +305,15 @@
 		""" Send file or directory index, depending on requested path """
 		path = self.getCleanPath()
 
+		# check if path is in current serving directory
+		currBaseDir = os.path.abspath(self.targetDir) + os.path.sep
+		requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep
+		if not requestPath.startswith(currBaseDir):
+			self.send_response(301)
+			self.send_header("Location", '/')
+			self.end_headers()
+			return
+
 		if os.path.isdir(path):
 			if not self.path.endswith('/'):
 self.send_response(301)
@@ -325,7 +329,7 @@
 	self.end_headers()
 else:
 	self.send_response(200)
-	self.sendContentHeaders(self, path, length)
+	self.sendContentHeaders(path, length)
 	self.end_headers()
 			else:
 self.sendFile(path, head)
@@ -406,7 +410,7 @@
 			
 		
 		
-		""" % {'path': posixpath.normpath(urllib.unquote(self.path))}
+		""" % {'path': os.path.normpath(urllib.unquote(self.path))}
 		footer = """
 http://seba-geek.de/stuff/servefile/;>servefile %(version)s
 
@@

Processed: Re: Bug#804787: jessie-pu: package servefile/0.4.3-1

2015-11-11 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + moreinfo
Bug #804787 [release.debian.org] jessie-pu: package servefile/0.4.3-1
Added tag(s) moreinfo.

-- 
804787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804787
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#804787: jessie-pu: package servefile/0.4.3-1

Bug#804787: jessie-pu: package servefile/0.4.3-1

Bug#804787: jessie-pu: package servefile/0.4.3-1

Bug#804787: jessie-pu: package servefile/0.4.3-1

Bug#804787: jessie-pu: package servefile/0.4.3-1

Processed: Re: Bug#804787: jessie-pu: package servefile/0.4.3-1

6 matches

Site Navigation

Mail list logo

Footer information