Debian Bug report logs -
#611661
Bundled plugins using Xinha allow malicious file uploads
Reported by: "Daniel E. Markle" <dmarkle@ashtech.net>
Date: Mon, 31 Jan 2011 18:45:01 UTC
Severity: grave
Tags: security
Found in version serendipity/1.5.3-2
Fixed in version 1.5.3-2+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jean-Marc Roth <jmroth@iip.lu>:
Bug#611661; Package serendipity.
(Mon, 31 Jan 2011 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Daniel E. Markle" <dmarkle@ashtech.net>:
New Bug report received and forwarded. Copy sent to Jean-Marc Roth <jmroth@iip.lu>.
(Mon, 31 Jan 2011 18:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: serendipity
Version: 1.5.3-2
Summary of the problem from upstream:
"Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code."
Full details (and recommended fixes) at:
http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
Added tag(s) security.
Request was from Alex Brotman <atbrotman@yahoo.com>
to control@bugs.debian.org.
(Tue, 01 Feb 2011 18:27:09 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Wed, 16 Feb 2011 20:12:26 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from jm@roth.lu
to control@bugs.debian.org.
(Wed, 16 Feb 2011 22:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jean-Marc Roth <jmroth@iip.lu>:
Bug#611661; Package serendipity.
(Tue, 08 Mar 2011 13:18:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Hector Romojaro <hromojaro@dia.uned.es>, 611661@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jean-Marc Roth <jmroth@iip.lu>.
(Tue, 08 Mar 2011 13:18:17 GMT) (full text, mbox, link).
Message #16 received at 611661@bugs.debian.org (full text, mbox, reply):
Hi,
About openacs and dotlrn packages, I don't think they are affected by
any of the Xinha vulnerabilities [1][2][3]. The summary says:
"Xinha ships with several plugins that utilize PHP scripting for special
usage, like the ImageManager or ExtendedFileManager. A 0-day security
exploit has been reported available as of today that exploits the
functionality of these plugins to upload malicious files to your
webspace, to execute foreign code." [4]
It seems a PHP problem, and the proposed fix is just to remove a bunch
of php files, so I guess the packages are safe because they don't use
PHP at all, as well as the aolserver package. There is no way to execute
that PHP code on openacs or dotlrn.
[1] http://security-tracker.debian.org/tracker/CVE-2011-1133
[2] http://security-tracker.debian.org/tracker/CVE-2011-1134
[3] http://security-tracker.debian.org/tracker/CVE-2011-1135
[4]
http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
Cheers, Héctor
Information forwarded
to debian-bugs-dist@lists.debian.org, Jean-Marc Roth <jmroth@iip.lu>:
Bug#611661; Package serendipity.
(Tue, 08 Mar 2011 21:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jean-Marc Roth <jmroth@iip.lu>.
(Tue, 08 Mar 2011 21:39:08 GMT) (full text, mbox, link).
Message #21 received at 611661@bugs.debian.org (full text, mbox, reply):
On Tue, Mar 08, 2011 at 02:02:31PM +0100, Hector Romojaro wrote:
> Hi,
>
> About openacs and dotlrn packages, I don't think they are affected by
> any of the Xinha vulnerabilities [1][2][3]. The summary says:
>
> "Xinha ships with several plugins that utilize PHP scripting for special
> usage, like the ImageManager or ExtendedFileManager. A 0-day security
> exploit has been reported available as of today that exploits the
> functionality of these plugins to upload malicious files to your
> webspace, to execute foreign code." [4]
>
> It seems a PHP problem, and the proposed fix is just to remove a bunch
> of php files, so I guess the packages are safe because they don't use
> PHP at all, as well as the aolserver package. There is no way to execute
> that PHP code on openacs or dotlrn.
>
> [1] http://security-tracker.debian.org/tracker/CVE-2011-1133
> [2] http://security-tracker.debian.org/tracker/CVE-2011-1134
> [3] http://security-tracker.debian.org/tracker/CVE-2011-1135
> [4]
> http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
Thanks, I've updated the security tracker.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Jean-Marc Roth <jmroth@iip.lu>:
Bug#611661; Package serendipity.
(Sun, 13 May 2012 17:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Jean-Marc Roth <jmroth@iip.lu>.
(Sun, 13 May 2012 17:06:03 GMT) (full text, mbox, link).
Message #26 received at 611661@bugs.debian.org (full text, mbox, reply):
On Tue, Mar 08, 2011 at 10:37:13PM +0100, Moritz Muehlenhoff wrote:
>On Tue, Mar 08, 2011 at 02:02:31PM +0100, Hector Romojaro wrote:
>> Hi,
>>
>> About openacs and dotlrn packages, I don't think they are affected by
>> any of the Xinha vulnerabilities [1][2][3]. The summary says:
>>
>> "Xinha ships with several plugins that utilize PHP scripting for special
>> usage, like the ImageManager or ExtendedFileManager. A 0-day security
>> exploit has been reported available as of today that exploits the
>> functionality of these plugins to upload malicious files to your
>> webspace, to execute foreign code." [4]
>>
>> It seems a PHP problem, and the proposed fix is just to remove a bunch
>> of php files, so I guess the packages are safe because they don't use
>> PHP at all, as well as the aolserver package. There is no way to execute
>> that PHP code on openacs or dotlrn.
>>
>> [1] http://security-tracker.debian.org/tracker/CVE-2011-1133
>> [2] http://security-tracker.debian.org/tracker/CVE-2011-1134
>> [3] http://security-tracker.debian.org/tracker/CVE-2011-1135
>> [4]
>> http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
>
>Thanks, I've updated the security tracker.
So... does this bug still need to be grave?
Looking at other bugs and security tracker issues in serendipity, I'd
be tempted to remove it from Debian anyway...
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Armed with "Valor": "Centurion" represents quality of Discipline,
Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
concord the digital world while feeling safe and proud.
Information forwarded
to debian-bugs-dist@lists.debian.org, Jean-Marc Roth <jmroth@iip.lu>:
Bug#611661; Package serendipity.
(Sun, 13 May 2012 19:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jean-Marc Roth <jmroth@iip.lu>.
(Sun, 13 May 2012 19:27:04 GMT) (full text, mbox, link).
Message #31 received at 611661@bugs.debian.org (full text, mbox, reply):
On Sun, May 13, 2012 at 06:04:03PM +0100, Steve McIntyre wrote:
> On Tue, Mar 08, 2011 at 10:37:13PM +0100, Moritz Muehlenhoff wrote:
> >On Tue, Mar 08, 2011 at 02:02:31PM +0100, Hector Romojaro wrote:
> >> Hi,
> >>
> >> About openacs and dotlrn packages, I don't think they are affected by
> >> any of the Xinha vulnerabilities [1][2][3]. The summary says:
> >>
> >> "Xinha ships with several plugins that utilize PHP scripting for special
> >> usage, like the ImageManager or ExtendedFileManager. A 0-day security
> >> exploit has been reported available as of today that exploits the
> >> functionality of these plugins to upload malicious files to your
> >> webspace, to execute foreign code." [4]
> >>
> >> It seems a PHP problem, and the proposed fix is just to remove a bunch
> >> of php files, so I guess the packages are safe because they don't use
> >> PHP at all, as well as the aolserver package. There is no way to execute
> >> that PHP code on openacs or dotlrn.
> >>
> >> [1] http://security-tracker.debian.org/tracker/CVE-2011-1133
> >> [2] http://security-tracker.debian.org/tracker/CVE-2011-1134
> >> [3] http://security-tracker.debian.org/tracker/CVE-2011-1135
> >> [4]
> >> http://blog.s9y.org/archives/224-Important-Security-Update-Serendipity-1.5.5-released.html
> >
> >Thanks, I've updated the security tracker.
>
> So... does this bug still need to be grave?
>
> Looking at other bugs and security tracker issues in serendipity, I'd
> be tempted to remove it from Debian anyway...
I suggested the same some time ago and Thijs (added to CC) said that
removing it from testing would be the first step (which we did back
then).
Thijs, what's your take on dropping s9y for Wheezy?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Jean-Marc Roth <jmroth@iip.lu>:
Bug#611661; Package serendipity.
(Sun, 13 May 2012 19:48:42 GMT) (full text, mbox, link).
Acknowledgement sent
to "J.M.Roth" <jmroth@iip.lu>:
Extra info received and forwarded to list. Copy sent to Jean-Marc Roth <jmroth@iip.lu>.
(Sun, 13 May 2012 19:49:00 GMT) (full text, mbox, link).
Message #36 received at 611661@bugs.debian.org (full text, mbox, reply):
On 13-May-12 21:25, Moritz Mühlenhoff wrote:
> On Sun, May 13, 2012 at 06:04:03PM +0100, Steve McIntyre wrote:
>> On Tue, Mar 08, 2011 at 10:37:13PM +0100, Moritz Muehlenhoff wrote:
>> Looking at other bugs and security tracker issues in serendipity, I'd
>> be tempted to remove it from Debian anyway...
> I suggested the same some time ago and Thijs (added to CC) said that
> removing it from testing would be the first step (which we did back
> then).
>
> Thijs, what's your take on dropping s9y for Wheezy?
>
> Cheers,
> Moritz
>
Hi,
#611661 has been pending upload for a while.
Yeah, maybe I should've pinged Thijs sooner.
I am committing a fix for #650937 now.
I'm currently trying to find out what to do to fix the latest one.
BFN
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Fri, 17 May 2013 11:48:34 GMT) (full text, mbox, link).
Notification sent
to "Daniel E. Markle" <dmarkle@ashtech.net>:
Bug acknowledged by developer.
(Fri, 17 May 2013 11:48:34 GMT) (full text, mbox, link).
Message #41 received at 611661-done@bugs.debian.org (full text, mbox, reply):
Version: 1.5.3-2+rm
Dear submitter,
as the package serendipity has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/707980
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.
Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 15 Jun 2013 07:45:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:52:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon