Debian Bug report logs -
#889753
uwsgi: CVE-2018-6758: stack-based buffer overflow within uwsgi_expand_path
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 6 Feb 2018 19:48:05 UTC
Severity: important
Tags: patch, security, upstream
Found in version uwsgi/2.0.7-1
Fixed in versions uwsgi/2.0.15-10.2, uwsgi/2.0.14+20161117-3+deb9u1, uwsgi/2.0.7-1+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#889753; Package src:uwsgi.
(Tue, 06 Feb 2018 19:48:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>.
(Tue, 06 Feb 2018 19:48:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: uwsgi
Version: 2.0.7-1
Severity: important
Tags: patch security upstream
Hi
There is a stack-based buffer overflow flaw within the
uwsgi_expand_path function, cf.:
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html
Regards,
Salvatore
Changed Bug title to 'uwsgi: CVE-2018-6758: stack-based buffer overflow within uwsgi_expand_path' from 'uwsgi: stack-based buffer overflow within uwsgi_expand_path'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Feb 2018 20:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#889753; Package src:uwsgi.
(Fri, 09 Feb 2018 21:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>.
(Fri, 09 Feb 2018 21:33:03 GMT) (full text, mbox, link).
Message #12 received at 889753@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 889753 + patch
Dear maintainer,
I've prepared an NMU for uwsgi (versioned as 2.0.15-10.2). Not yet
uploaded (to any delayed queue).
Regards,
Salvatore
[uwsgi-2.0.15-10.2-nmu.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#889753; Package src:uwsgi.
(Fri, 09 Feb 2018 21:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>.
(Fri, 09 Feb 2018 21:39:06 GMT) (full text, mbox, link).
Message #17 received at 889753@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + pending
Jonas confirmed me on IRC to be fine to straight upload rather than
targed a delayed queue.
I have as well prepared updates for jessie- and stretch-pu.
Regards,
Salvatore
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 889753-submit@bugs.debian.org.
(Fri, 09 Feb 2018 21:39:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 09 Feb 2018 21:54:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 09 Feb 2018 21:54:14 GMT) (full text, mbox, link).
Message #24 received at 889753-close@bugs.debian.org (full text, mbox, reply):
Source: uwsgi
Source-Version: 2.0.15-10.2
We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated uwsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 Feb 2018 21:35:00 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-src uwsgi-dev uwsgi-core uwsgi-emperor uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-glusterfs uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 uwsgi-plugin-gevent-python uwsgi-plugin-greenlet-python uwsgi-plugin-asyncio-python uwsgi-plugin-asyncio-python3 uwsgi-plugin-tornado-python uwsgi-plugin-gccgo uwsgi-plugin-jvm-openjdk-8 uwsgi-plugin-jwsgi-openjdk-8 uwsgi-plugin-ring-openjdk-8 uwsgi-plugin-servlet-openjdk-8 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 uwsgi-plugin-lua5.2 uwsgi-plugin-mono uwsgi-plugin-psgi uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.3 uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg
libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators python3-uwsgidecorators
uwsgi-extra
Architecture: source
Version: 2.0.15-10.2
Distribution: unstable
Urgency: medium
Maintainer: uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 889753
Description:
libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
python-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 2)
python3-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 3)
uwsgi - fast, self-healing application container server
uwsgi-app-integration-plugins - plugins for integration of uWSGI and application
uwsgi-core - fast, self-healing application container server (core)
uwsgi-dbg - debugging symbols for uWSGI server and it's plugins
uwsgi-dev - fast, self-healing application container server (headers)
uwsgi-emperor - fast, self-healing application container server (emperor scripts)
uwsgi-extra - fast, self-healing application container server (extra files)
uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
uwsgi-plugin-asyncio-python - asyncio plugin for uWSGI (Python 2)
uwsgi-plugin-asyncio-python3 - asyncio plugin for uWSGI (Python 3)
uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
uwsgi-plugin-fiber - Fiber plugin for uWSGI
uwsgi-plugin-gccgo - GNU Go plugin for uWSGI
uwsgi-plugin-geoip - GeoIP plugin for uWSGI
uwsgi-plugin-gevent-python - gevent plugin for uWSGI (Python 2)
uwsgi-plugin-glusterfs - GlusterFS storage plugin for uWSGI
uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
uwsgi-plugin-jvm-openjdk-8 - Java plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-jwsgi-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-ldap - LDAP plugin for uWSGI
uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
uwsgi-plugin-mono - Mono/ASP.NET plugin for uWSGI
uwsgi-plugin-psgi - Perl PSGI plugin for uWSGI
uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
uwsgi-plugin-rack-ruby2.3 - Rack plugin for uWSGI ()
uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI ()
uwsgi-plugin-ring-openjdk-8 - Closure/Ring plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-router-access - Access router plugin for uWSGI
uwsgi-plugin-servlet-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
uwsgi-plugin-tornado-python - tornado plugin for uWSGI (Python 2)
uwsgi-plugin-xslt - XSLT request plugin for uWSGI
uwsgi-plugins-all - all available plugins for uWSGI
uwsgi-src - sources for uWSGI plugins
Changes:
uwsgi (2.0.15-10.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
(Closes: #889753)
Checksums-Sha1:
436e5e1867eef512d674c5a64a274691da6232ca 8121 uwsgi_2.0.15-10.2.dsc
a56d55d132e6575be08bb143cc0a0adbefdc1bd8 54796 uwsgi_2.0.15-10.2.debian.tar.xz
Checksums-Sha256:
5706dc9890ec41d33981b1931d1fb133d84f946e7edf1599287913d244a33188 8121 uwsgi_2.0.15-10.2.dsc
6fb1f008dd9cf2798c09d5b6a8e0d068dcee2f2ba2015a5ec403807a4774f572 54796 uwsgi_2.0.15-10.2.debian.tar.xz
Files:
be4af3004ea01875430503c5ca6a07ea 8121 httpd optional uwsgi_2.0.15-10.2.dsc
69657c67e3f342e61eb20244f567725a 54796 httpd optional uwsgi_2.0.15-10.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp+E3NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E63QP/iKCxZAzdLqkttJf8/bRlulsyrEagdxc
MO02CuabeRVJhMIcIZDnSSLp9LMu+qGW/S1irKkhICWzc6MIQbM/xfrLkt0jrWYU
SdA6B0uTpLhRyLtllIiP84hCiZPAWNeEPWk8Vle0z6xqOUmXQVgMt/PtDVzQgHP4
cI1jxY21bcYnDJurMfBEP/FFdO/ELNUFG0XsKoZNc1ENGsnjpOuSqKpr44NWP9xV
lu0rKUDahzhMSg1LoJ7c5zmtB5plGiAU8Z8sRhLXniiaK5h4ZMNQl0bnmB8rtI3G
AsRe11dVBz7WlU4zyECN1DTsT/FfV2sv4U9grbtdjYEm+rFm6kzzGZL60HU210so
PNaFmc5lo4GZcOcltVy83WrZc7h4YuntBaZcJ+RUN7y0oQql6rGspBi6e6kHkDIG
l6jmBkvRCj1GIs+6tJAVth66eayFNsOlSAdFmspTjoEkPVWG1crO9LuyH8g7rxuR
HYpGS2tZQ8vUYQvkZN4x9PXgzRPbuG3yijGjNJXqBNbCtcEond4vzmhsI04FyeQZ
ZS1X3ltKBSxg5pndOwrEfrDM+TnC60XShRwcK/7DI0htkBdpLfC8fWN67rKJOTbU
w9en+BXL8BqwzQvm4Q87hvkgyJydVGyZFJIa5R61PyF1qwECcIUhZj2+zBi7BFfm
Ad9seMvaw5w4
=VTZj
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 25 Feb 2018 15:06:38 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 25 Feb 2018 15:06:38 GMT) (full text, mbox, link).
Message #29 received at 889753-close@bugs.debian.org (full text, mbox, reply):
Source: uwsgi
Source-Version: 2.0.14+20161117-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated uwsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 06 Feb 2018 22:31:14 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-src uwsgi-core uwsgi-emperor uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins uwsgi-mongodb-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-glusterfs uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 uwsgi-plugin-gevent-python uwsgi-plugin-greenlet-python uwsgi-plugin-asyncio-python uwsgi-plugin-asyncio-python3 uwsgi-plugin-tornado-python uwsgi-plugin-gccgo uwsgi-plugin-jvm-openjdk-8 uwsgi-plugin-jwsgi-openjdk-8 uwsgi-plugin-ring-openjdk-8 uwsgi-plugin-servlet-openjdk-8 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 uwsgi-plugin-lua5.2 uwsgi-plugin-luajit uwsgi-plugin-mono uwsgi-plugin-psgi uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.3 uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-v8 uwsgi-plugin-php uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi
libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators python3-uwsgidecorators
uwsgi-extra
Architecture: source
Version: 2.0.14+20161117-3+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 889753
Description:
libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
python-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 2)
python3-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 3)
uwsgi - fast, self-healing application container server
uwsgi-app-integration-plugins - plugins for integration of uWSGI and application
uwsgi-core - fast, self-healing application container server (core)
uwsgi-dbg - debugging symbols for uWSGI server and it's plugins
uwsgi-emperor - fast, self-healing application container server (emperor scripts)
uwsgi-extra - fast, self-healing application container server (extra files)
uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
uwsgi-mongodb-plugins - MongoDB/GridFS plugins for uWSGI
uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
uwsgi-plugin-asyncio-python - asyncio plugin for uWSGI (Python 2)
uwsgi-plugin-asyncio-python3 - asyncio plugin for uWSGI (Python 3)
uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
uwsgi-plugin-fiber - Fiber plugin for uWSGI
uwsgi-plugin-gccgo - GNU Go plugin for uWSGI
uwsgi-plugin-geoip - GeoIP plugin for uWSGI
uwsgi-plugin-gevent-python - gevent plugin for uWSGI (Python 2)
uwsgi-plugin-glusterfs - GlusterFS storage plugin for uWSGI
uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
uwsgi-plugin-jvm-openjdk-8 - Java plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-jwsgi-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-ldap - LDAP plugin for uWSGI
uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
uwsgi-plugin-luajit - Lua WSAPI plugin for uWSGI (LuaJIT)
uwsgi-plugin-mono - Mono/ASP.NET plugin for uWSGI
uwsgi-plugin-php - PHP plugin for uWSGI
uwsgi-plugin-psgi - Perl PSGI plugin for uWSGI
uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
uwsgi-plugin-rack-ruby2.3 - Rack plugin for uWSGI (${uwsgi:RubyKind})
uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI (${uwsgi:RubyDefaultkind})
uwsgi-plugin-ring-openjdk-8 - Closure/Ring plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-router-access - Access router plugin for uWSGI
uwsgi-plugin-servlet-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
uwsgi-plugin-tornado-python - tornado plugin for uWSGI (Python 2)
uwsgi-plugin-v8 - JavaScript V8 plugin for uWSGI
uwsgi-plugin-xslt - XSLT request plugin for uWSGI
uwsgi-plugins-all - all available plugins for uWSGI
uwsgi-src - sources for uWSGI plugins
Changes:
uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
.
* Non-maintainer upload.
* Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
(Closes: #889753)
Checksums-Sha1:
9da3c681ab6956c61979bdbbf5d3186e2c70e452 9170 uwsgi_2.0.14+20161117-3+deb9u1.dsc
efc5031a79d67278d927c9248ac5c4b1ef06700c 52192 uwsgi_2.0.14+20161117-3+deb9u1.debian.tar.xz
Checksums-Sha256:
39f8a1b4c14e5212fdbe2368056dfe9f02c2e0209932baaac213567d8d78b093 9170 uwsgi_2.0.14+20161117-3+deb9u1.dsc
6037a7938ef5d04afed3bb8b9f81144ed9738f84c0ecd0b1d463c3db41ac948f 52192 uwsgi_2.0.14+20161117-3+deb9u1.debian.tar.xz
Files:
2a6c9731117068fc2484fd146be3d5bd 9170 web extra uwsgi_2.0.14+20161117-3+deb9u1.dsc
0921238145b92ab943659d3c0ebb5cbc 52192 web extra uwsgi_2.0.14+20161117-3+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqQWWtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ej6YQAIquGohA8yaOJInbKNUot4PBOKOTXXGh
S2e3Izx9inEx/reetzFXkOpQHKf9V1YHk+Nm3teTlNdQnAY/RTxKZU1kJAQo+5kG
5jr6E6TtNEbRkQpSOmJOxcUN5cmqaextRE9BY7TROXOaAZqWLUF+6FOHai9Ynr3O
FoxoBT3rSP0xijTC8myn278BZ4P64SnTh4N1QLR95Kj8t5Eae1oj9et5fVZyj6xE
R1WFpfNBEo5zozyae/kzQbnLXZkIEykKuNCfRftXex1t3Ea+MYz4FkY3qIWlvPAY
7tcacu526/FGh4MKPURnjKvuiUqmBlhBrF26njVNDR3qzk4I1eEId93SJNBnaXi1
OE0nyNxV7WwE2gO+zUeuikSOpbk2zwu98AZu2aK2qLht8/IY3+GHyy0jlMFnc8Vf
kWu26o6xvxvBmJsdhayatyhuljUxwf453V+X5zqTxGQHZO4kFlVGM8doAx58UuoK
zq0XIUmx/k87r1yNKrQffXEKoe4Zd7p//TusIolPB6QTCIMSLTIhEKwImzTZquOF
8wv2SXPeilECr3dQKpA0qtlozZuN5D3YH+YijpzuXgVDFl6UU83S67WVf7SN4XRN
3yelCzVzvP/h4OvVUBWEoReyN2zdxnCBteGeoAXHJkM5vAx4uHXk2EqqEACNbYqe
raOUvUTKoUNE
=GWYN
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 17 Mar 2018 21:48:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Mar 2018 21:48:07 GMT) (full text, mbox, link).
Message #34 received at 889753-close@bugs.debian.org (full text, mbox, reply):
Source: uwsgi
Source-Version: 2.0.7-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated uwsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Mar 2018 09:37:01 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-core uwsgi-emperor uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 uwsgi-plugin-greenlet-python uwsgi-plugin-jvm-openjdk-7 uwsgi-plugin-jwsgi-openjdk-7 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 uwsgi-plugin-lua5.2 uwsgi-plugin-luajit uwsgi-plugin-psgi uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.1 uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-v8 uwsgi-plugin-php uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators python3-uwsgidecorators uwsgi-extra
Architecture: all source
Version: 2.0.7-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Janos Guljas <janos@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 889753 891639
Description:
libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
python-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 2)
python3-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 3)
uwsgi - fast, self-healing application container server
uwsgi-app-integration-plugins - plugins for integration of uWSGI and application
uwsgi-core - fast, self-healing application container server (core)
uwsgi-dbg - debugging symbols for uWSGI server and it's plugins
uwsgi-emperor - fast, self-healing application container server (emperor scripts)
uwsgi-extra - fast, self-healing application container server (extra files)
uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
uwsgi-plugin-fiber - Fiber plugin for uWSGI
uwsgi-plugin-geoip - GeoIP plugin for uWSGI
uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
uwsgi-plugin-jvm-openjdk-7 - Java plugin for uWSGI (OpenJDK 7)
uwsgi-plugin-jwsgi-openjdk-7 - JWSGI plugin for uWSGI (OpenJDK 7)
uwsgi-plugin-ldap - LDAP plugin for uWSGI
uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
uwsgi-plugin-luajit - Lua WSAPI plugin for uWSGI (LuaJIT)
uwsgi-plugin-php - PHP plugin for uWSGI
uwsgi-plugin-psgi - Perl PSGI and Coro::AnyEvent plugins for uWSGI
uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
uwsgi-plugin-rack-ruby2.1 - Rack plugin for uWSGI (${uwsgi:RubyKind})
uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI (${uwsgi:RubyDefaultkind})
uwsgi-plugin-router-access - Access router plugin for uWSGI
uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
uwsgi-plugin-v8 - JavaScript V8 plugin for uWSGI
uwsgi-plugin-xslt - XSLT request plugin for uWSGI
uwsgi-plugins-all - all available plugins for uWSGI
Changes:
uwsgi (2.0.7-1+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
(Closes: #889753)
* enforce php default document_root behaviour, to not show external files
(CVE-2018-7490) (Closes: #891639)
Checksums-Sha1:
2202948e8f7896e5807af6e14ba99f14da9440c3 6460 uwsgi_2.0.7-1+deb8u2.dsc
0e9d1f881736674221d60a5dd5dfcbc25051d48b 772385 uwsgi_2.0.7.orig.tar.gz
f9e205211a8338198a61d6674401b85f0203f019 43880 uwsgi_2.0.7-1+deb8u2.debian.tar.xz
d1faf9977b12fe76605ac37612548d8a661f307f 24086 python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
3ed8387fd5da00752da3d234e2162366fd57aaa7 24232 python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
061b57e93494ac65519088c2e3ed72743756c03c 38722 uwsgi-extra_2.0.7-1+deb8u2_all.deb
Checksums-Sha256:
d3778942a02468db6d9222eef43f789dfe32af6b71951afa865c2e0484887555 6460 uwsgi_2.0.7-1+deb8u2.dsc
2938464d0277909854f55951cf7d114e0616efbd8dd0295da7da99e944cbc72a 772385 uwsgi_2.0.7.orig.tar.gz
94bf1a313e42d641e2e4281fd5908618ddffae141a45345a09adba13f4ae327c 43880 uwsgi_2.0.7-1+deb8u2.debian.tar.xz
8ea69d10929ad0dab545df0cb58d9ec0ff1ad8b96e2af0a5e7606992f932e070 24086 python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
5af80417b95cbcb8a1c6388b16c9526b4900e59642b26812292574fed9a148d4 24232 python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
97de3106672087332dc70013cb5892d40a9da061ac38ea47a54b11d5faf698d9 38722 uwsgi-extra_2.0.7-1+deb8u2_all.deb
Files:
7432368f3243739171098119ae40e733 6460 web extra uwsgi_2.0.7-1+deb8u2.dsc
c18da6536f2f47a204814225ba695042 772385 web extra uwsgi_2.0.7.orig.tar.gz
9b94bf2f6a31e9bddf7b55a7d0be7787 43880 web extra uwsgi_2.0.7-1+deb8u2.debian.tar.xz
a0cff23a472f9ff01e6a64e8f174c550 24086 python extra python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
8d123dd0b9f1d74ab5a92860e0cd8991 24232 python extra python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
70a95dddbc3cdc05e59712acaee62bf9 38722 web extra uwsgi-extra_2.0.7-1+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqs1mxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EylIP/285QN0bP7zVylFqCiRmGacntQyJlqVQ
8Ha/WuJhOQaSirUwv4noyLLCyM+dmyZej7neYCvu45DiD5rbCAW9z2PApBkl6xHn
AhTFNjryC5a1Dz5+v7igqaAb23DPsbuCvqYTw+HtojUZ2TAhlb49ep0CCW7Kfd4D
hRTyYuBP9tvmCTdapm73UqJbVuuV1ZwPyt0wZchaQ0EtXudQSN3AVEc2JqpK2zy7
OQlBJAJdNr/1B7e0zREknS2uP4KEWinohEMKiBoerEvXYNftFGK0yOUBZzRuUxup
ZAP8UUbF2ecZgD0kYlnFUnnA6WgxIEXlhno31flZng0CiDca6P1dKaV8V6hi5rmz
/X/VCZwoeX4rtxM+9s8MTcRiJ47bKtwdCr4gw4XDoOlprHfqjGNYa6x5WpmOPVCr
8nLVHEBzoBhWH27BTsgqyAg16IM4TnBZTcMR9O/rf/KX8NovuBCMVEU5OnHeKJbb
sur227s37x9qr68YFLpVToF4i9D0wPtjPBgwN1LExcYOHy9OlZ0LchJfgg+w64cq
SJ5bzwwYhIwLeUHv9s2fVeVVjDeG0QatIH7Gkppbq+hLHSWSIPq7P2MiViIOZj4v
jICNgt+aoBiYAMHbglrXxFHIeKxyRk0PyfX916BQgWXYSyZZSFQTwQ70HEPvzFPB
TVcH1RIa8Smq
=AUyC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 20 Apr 2018 07:29:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:23:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon