CVE-2013-0347

Debian Bug report logs - #701638
CVE-2013-0347

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2013-0347

Date: Mon, 25 Feb 2013 16:25:15 +0100

Package: webfs
Severity: important
Tags: security

Hi,
please see http://www.openwall.com/lists/oss-security/2013/02/22/16

This affects Debian (tested with Wheezy):

# ls -lha /var/log/webfs
insgesamt 8,0K
drwxr-sr-x  2 root     www-data 4,0K Feb 25 14:33 .
drwxr-xr-x 16 root     root     4,0K Feb 25 14:33 ..
-rw-r--r--  1 www-data www-data    0 Feb 25 14:33 webfs.log

Cheers,
        Moritz

Message #12 received at 701638-close@bugs.debian.org (full text, mbox, reply):

From: Mats Erik Andersson <mats.andersson@gisladisker.se>

To: 701638-close@bugs.debian.org

Subject: Bug#701638: fixed in webfs 1.21+ds1-9

Date: Fri, 13 Dec 2013 21:21:07 +0000

Source: webfs
Source-Version: 1.21+ds1-9

We believe that the bug you reported is fixed in the latest version of
webfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701638@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mats Erik Andersson <mats.andersson@gisladisker.se> (supplier of updated webfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 Dec 2013 19:22:21 +0100
Source: webfs
Binary: webfs
Architecture: source amd64
Version: 1.21+ds1-9
Distribution: unstable
Urgency: low
Maintainer: Mats Erik Andersson <mats.andersson@gisladisker.se>
Changed-By: Mats Erik Andersson <mats.andersson@gisladisker.se>
Description: 
 webfs      - lightweight HTTP server for static content
Closes: 701638 702660 717705
Changes: 
 webfs (1.21+ds1-9) unstable; urgency=low
 .
   * CVE-2013-0347: Permissions of log file.
     + debian/patches/80_cve_2013_0347.diff: New file.
     + debian/webfs.postinst: Change stat-override, empty world access.
     + debian/webfs.logrotate: Add a specification "su".
     + debian/NEWS: Add a comment.
     + Closes: #701638.
   * Transmission of large files with TLS.
     + debian/patches/68_large_files.diff: New file.
     + Closes: #702660.
   * Incorporate translation updates from 1.21+ds1-8.1.
     Sincere thanks to Christian Perrier and translators;
     in particular Joe Hansen for the completely new Danish
     translation.
   * Debconf translation update:
     + Japanese (victory). Closes: #717705.
     + debian/po/ja.po: Update.
   * Implement hardened builds:
     + debian/rules: Compilation flags using dpkg-buildflags.
     + debian/patches/75_hardening_flags.diff: New file.
     + debian/control: Build depends on dpkg-dev (>= 1.15.7).
   * debian/webfs.init:
     * Adapt to LSB message passing, suggested by Trent W. Buck.
     * Implement "status" command.  Make "start" and "stop" idempotent.
     * Minor shell code clean up.
   * debian/control:
     + Standards 3.9.4; no changes.
     + Binary dependency on lsb-base (>= 3.2-14).
   * debian/rules:
     + Run verbose compiler stage: "verbose=yes".
     + [lintian] Trivial targets build-arch, build-indep.
   * debian/copyright:
     + Field names and URL conform to DEP-5, version 1.0.
     + Make a separate GPL-2+ license description, referenced twice.
   * debian/patches/63_gnutls.diff: Insert a single pointer cast.
   * debian/local/create_cert.sh: Updated.
Checksums-Sha1: 
 056ece9e3e0f5ca4075b828586d2304d0fbb6d9f 1772 webfs_1.21+ds1-9.dsc
 b29401cabce33db1382b62240c333a9f4dddec27 63729 webfs_1.21+ds1-9.debian.tar.gz
 1212bca97f2392c8ed62de1c71748783d533be4b 67762 webfs_1.21+ds1-9_amd64.deb
Checksums-Sha256: 
 6ee5c4c2c45335edf952cbc9c1ae1bfc76eb7cb2de79aa9fa73f6b111e94a362 1772 webfs_1.21+ds1-9.dsc
 d97705f2219ac2f3b064e758feb3a6703a01f39ecb086670ee1bc98721bbccb2 63729 webfs_1.21+ds1-9.debian.tar.gz
 ae696570ec7a6eef4a6022b640b6d5aa50d25a6d4838310337bc434558e4cb56 67762 webfs_1.21+ds1-9_amd64.deb
Files: 
 4cad7a451348be23d14237be238e4d68 1772 httpd optional webfs_1.21+ds1-9.dsc
 f726d527254cb8eb579378374f842f2e 63729 httpd optional webfs_1.21+ds1-9.debian.tar.gz
 26960276ffbb8c3a412e9978527b5ea6 67762 httpd optional webfs_1.21+ds1-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJSq2xiAAoJEKbcJNnaJJPRSYIP/ApgzBJb7H4v7nRP1Q0IVWJJ
I9o+SDXHAyqTz3771Z55G80j1qXVKeftsbt29uAkLtiX0DAeAjYcG40JMa2ukUPT
V9zNpQd8X3F3YjoaVHluL1XHiBKyZG2Z6RK6TqD2MEmAmNfA0qRpdaYzhZ5nnIvo
OCRoCTzlG39AHiqjf0EX51MCjr0epSk/lGjUaECvnaKNiYnHTQeWRL2mze9MoppN
ns1V/y/z4Evfz5sGM+pi3Cm/If6zjJ8F9kgTcScM+HLk4tr9mCabwaNbG82tFzKA
feThqDN29AKCpyh4qqnQ4+nxTFD/0PEdWWSDsS0GuVPjQh+klFHI58EpuPhi4YhB
VjNparug24jtfNs0cUmxvMzwGWEYh7LBL9xK9HEiaHV6cpNEYj/H/s2H6Ehum5bx
71eavbekrkcqWedEQsr9pqA38bT/n/9AdB3UaR2Loagb1wvVYl1oI5xZaIN7ROtu
pfoau3aMcWhP953KRiPn0eL1RVXbzmvQSTnMfnFpT2legGzIAOsaGS1jAEOt6xuI
ihg05L6dycUoD2wNNbMjGN2aJEeuOk/G2uOffXJjMHDtyRaiNYMXzAFKKuOS9HpF
MFpY4Mm7YuRvGPfpBk9+aWyr0hS7mVgiaWkVpk4TU7iuenmYhWxN0NABWZ49VQTr
5xo6Ktxjc8sMPmcAKDYQ
=jw/O
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.