Debian Bug report logs -
#766545
CVE-2014-8763 CVE-2014-8764
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 23 Oct 2014 21:12:19 UTC
Severity: important
Tags: security
Fixed in version dokuwiki/0.0.20140929.a-1
Done: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#766545; Package dokuwiki.
(Thu, 23 Oct 2014 21:12:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Thu, 23 Oct 2014 21:12:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dokuwiki
Severity: important
Tags: security
Hi Tanguy,
CVE-2014-8763/CVE-2014-8764 have been assigned to this:
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
There was also a CVE assignment for this issue, which is
already fixed in jessie:
https://github.com/splitbrain/dokuwiki/issues/765
I don't know dokuwiki, should we fix the media manager issue in wheezy?
See http://seclists.org/oss-sec/2014/q4/361 for details on
the CVE assignments.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#766545; Package dokuwiki.
(Tue, 28 Oct 2014 13:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Extra info received and forwarded to list.
(Tue, 28 Oct 2014 13:30:05 GMT) (full text, mbox, link).
Message #10 received at 766545@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package dokuwiki
fixed 766545 dokuwiki/0.0.20140929.a-1
thanks
Moritz Muehlenhoff, 2014-10-23 23:11+0200:
>Hi Tanguy,
>CVE-2014-8763/CVE-2014-8764 have been assigned to this:
>http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
>
>There was also a CVE assignment for this issue, which is
>already fixed in jessie:
>https://github.com/splitbrain/dokuwiki/issues/765
No it is not fixed in Jessie. That is, it is now, or rather, it will be
when the version 0.0.20140929.a-1 I have just uploaded will reach
testing.
>I don't know dokuwiki, should we fix the media manager issue in wheezy?
I do not think that only affects the media manager, but I will see to
fix it in stable and oldstable, yes.
Librement,
--
,--.
: /` ) ن Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions dokuwiki/0.0.20140929.a-1.
Request was from Tanguy Ortolo <tanguy+debian@ortolo.eu>
to control@bugs.debian.org.
(Tue, 28 Oct 2014 13:30:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#766545; Package dokuwiki.
(Tue, 28 Oct 2014 15:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Tue, 28 Oct 2014 15:39:05 GMT) (full text, mbox, link).
Message #17 received at 766545@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, Oct 28, 2014 at 02:26:48PM +0100, Tanguy Ortolo wrote:
> package dokuwiki
> fixed 766545 dokuwiki/0.0.20140929.a-1
> thanks
>
> Moritz Muehlenhoff, 2014-10-23 23:11+0200:
> >Hi Tanguy,
> >CVE-2014-8763/CVE-2014-8764 have been assigned to this:
> >http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
> >
> >There was also a CVE assignment for this issue, which is
> >already fixed in jessie:
> >https://github.com/splitbrain/dokuwiki/issues/765
>
> No it is not fixed in Jessie. That is, it is now, or rather, it will be when
> the version 0.0.20140929.a-1 I have just uploaded will reach testing.
Is this right about the last one? The whole CVE assignment for all
four CVEs is at
https://marc.info/?l=oss-security&m=141347568722364&w=2 .
CVE-2014-8761 and CVE-2014-8762 seem to be assigned to issues found in
https://github.com/splitbrain/dokuwiki/issues/765 which were fixed in
the hotfix release 2014-05-05a.
Then there were two additional CVEs CVE-2014-8763 and CVE-2014-8764
which are for problems uncovered in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#766545; Package dokuwiki.
(Wed, 11 Mar 2015 14:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Kasper <emmanuel@libera.cc>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Wed, 11 Mar 2015 14:15:07 GMT) (full text, mbox, link).
Message #22 received at 766545@bugs.debian.org (full text, mbox, reply):
hello tanguy
I've just installed the Debian Dokuwiki package and did some research
concerning CVE-2014-8763/CVE-2014-8764
I have read againg the message of the initial upstream reporter of the
issue
(http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication),
and the null string handling allowing to do the anonymous auth bind is
rather a PHP problem than a dokuwiki problem.
Now it seems that he problem has been solved in the php side since php
5.6 ( look for ldap in http://php.net/ChangeLog-5.php )
Since Jessie has PHP >= 5.6 in Jessie and Sid, that just leaves Debian
stable vulnerable to the issue, so it might not be necessary to make a
specific upload for Jessie
(I see that your package 0.0.20140929.a-1 has not propagated to Jessie
has the freeze has probably blocked it)
Reply sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
You have taken responsibility.
(Sun, 22 Mar 2015 17:30:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 22 Mar 2015 17:30:14 GMT) (full text, mbox, link).
Message #27 received at 766545-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Emmanuel Kasper, 2015-03-11 15:10+0100:
>I've just installed the Debian Dokuwiki package and did some research
>concerning CVE-2014-8763/CVE-2014-8764
>
>Now it seems that he problem has been solved in the php side since php
>5.6 ( look for ldap in http://php.net/ChangeLog-5.php )
>
>Since Jessie has PHP >= 5.6 in Jessie and Sid, that just leaves Debian
>stable vulnerable to the issue, so it might not be necessary to make a
>specific upload for Jessie
Yes, this is correct, and since this issue was already fixed in
squeeze-lts and wheezy-security with specific uploads, that leave... no
Debian distribution vulnerable, I am therefore closing this bug. Thanks
for the information!
Librement,
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 20 Apr 2015 07:26:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:17:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon