Jonas:
I will send a mail to Kari Pahula, which seems to be maintaining the tntnet
package
for Debian, and point him to this launchpad bug.
Maybe he will give us some insights on why he changed the default configuration
that way, review my changes and either adapt it to fix the tntnet Debian
Just for completion:
I just got a short answer from Kari Pahula pointing me to the
corresponding Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724746
Looks like the issue has been already fixed there in the same way I fixed it.
Until now I accidentally that thought Debian
Sorry, I was unable to find a way to edit my last posting:
The default configuration in this packages is not xml format and
therefor different to the one where all the patches in the existing
tntnet source deb package were built on.
I meant the default configuration file
Jonas,
for sure the suggested change is not the perfect solution and without any doubt
there are many better ways to achieve the goal.
Unfortunately I do not have the time to evaluate all possible options, I just
wanted to suggest a change to provide a default configuration (which is as
close
Allright, there is probably some reason this was removed in the original
patch. If you don't want to do anything beyond what you've done already,
that's fine by me. I won't fix this because I hate Launchpad with a
passion; I just seem to have subscribed to tntnet bugs here somewhen,
that's why I
This bug was fixed in the package tntnet - 2.0+dfsg1-2ubuntu0.1
---
tntnet (2.0+dfsg1-2ubuntu0.1) precise-security; urgency=high
* SECURITY UPDATE: Fixed default configuration to prevent exposing
files from /. (LP: #1430750)
-- Christian Hertel c...@skyway-dc.com Wed, 11
Okay, thanks for the comments. Unless someone is willing to prepare a
debdiff with a better fix, I'm going to sponsor the one that Christian
provided.
Christian: for the record, for updates targeted towards a security
pocket, please target RELEASE-security, not just RELEASE. Also, closes:
As requested, I have created a debdiff (my first debdiff so far) which
seems to fix this issue in our case.
** Patch added: tntnet_2.0+dfsg1-2ubuntu1.debdiff
https://bugs.launchpad.net/ubuntu/+source/tntnet/+bug/1430750/+attachment/4341332/+files/tntnet_2.0%2Bdfsg1-2ubuntu1.debdiff
--
You
That will probably still allow paths like /../../etc/passwd. That's
why tntnet has the documentRoot setting, which should be available in
tntnet 2.0, but should also already be set in the default configuration:
https://github.com/maekitalo/tntnet/blob/tags/2.0/tntnet/etc/tntnet/tntnet.xml.in#L59
Thanks for the debdiff. I've subscribed the ubuntu-security-sponsors
group for review.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1430750
Title:
Insecure Default Config leads to security issue
@Jonas:
Upstream seems to be based on the following sources:
http://www.tntnet.org/download/tntnet-2.0.tar.gz
The default configuration in this packages is not xml format and
therefor different to the one where all the patches in the existing
tntnet source deb package were built on.
I chose to
Oh, wait a second. The DocumenRoot was already set in the upstream
.conf.in file, but was removed by the original debian patch! What?? I
would seriously recommend you to find out why it was removed originally,
and restore it. The DocumentRoot setting is specifically made for this
purpose, and
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: tntnet (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1430750
Title:
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is
** Summary changed:
- Insecure Default Config leads to security issue (CVE-2013-7299)
+ Insecure Default Config leads to security issue
** Description changed:
The default configuration file delivered with package tntnet prior to
version 2.2.1 allows unauthenticated remote attackers to
15 matches
Mail list logo
