Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal

Related Vulnerabilities: CVE-2018-7490   CVE-2018-6758  

Source

Debian Bug report logs - #891639
uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal

version graph

Package: src:uwsgi; Maintainer for src:uwsgi is uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 27 Feb 2018 16:03:02 UTC

Severity: important

Tags: patch, security, upstream

Found in version uwsgi/2.0.7-1

Fixed in versions uwsgi/2.0.7-1+deb8u2, uwsgi/2.0.15-10.4, uwsgi/2.0.14+20161117-3+deb9u2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#891639; Package src:uwsgi. (Tue, 27 Feb 2018 16:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>. (Tue, 27 Feb 2018 16:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: uwsgi: CVE-2018-7490: Mishandled DOCUMENT_ROOT check with use of --php-docroot option allows for directory traversal
Date: Tue, 27 Feb 2018 16:58:06 +0100
Source: uwsgi
Version: 2.0.7-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for uwsgi.

CVE-2018-7490[0]:
| uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
| --php-docroot option, allowing directory traversal.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7490
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
[1] https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#891639; Package src:uwsgi. (Sat, 17 Mar 2018 08:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>. (Sat, 17 Mar 2018 08:39:06 GMT) (full text, mbox, link).

Message #10 received at 891639@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 891639@bugs.debian.org
Subject: uwsgi: diff for NMU version 2.0.15-10.4
Date: Sat, 17 Mar 2018 09:36:09 +0100
[Message part 1 (text/plain, inline)]
Control: tags 891639 + patch
Control: tags 891639 + pending

Dear maintainer,

I've prepared an NMU for uwsgi (versioned as 2.0.15-10.4) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[uwsgi-2.0.15-10.4-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 891639-submit@bugs.debian.org. (Sat, 17 Mar 2018 08:39:06 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 891639-submit@bugs.debian.org. (Sat, 17 Mar 2018 08:39:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#891639; Package src:uwsgi. (Sat, 17 Mar 2018 09:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>. (Sat, 17 Mar 2018 09:03:05 GMT) (full text, mbox, link).

Message #19 received at 891639@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <jonas@jones.dk>
To: 891639@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: [pkg-uWSGI-devel] Bug#891639: uwsgi: diff for NMU version 2.0.15-10.4
Date: Sat, 17 Mar 2018 10:00:55 +0100
[Message part 1 (text/plain, inline)]
Quoting Salvatore Bonaccorso (2018-03-17 09:36:09)
> Control: tags 891639 + patch
> Control: tags 891639 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for uwsgi (versioned as 2.0.15-10.4) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

Thanks a lot!

No need to delay at all - you may upload without delay, at any time: 
https://wiki.debian.org/LowThresholdNmu


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#891639; Package src:uwsgi. (Sat, 17 Mar 2018 09:09:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>. (Sat, 17 Mar 2018 09:09:08 GMT) (full text, mbox, link).

Message #24 received at 891639@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Jonas Smedegaard <jonas@jones.dk>
Cc: 891639@bugs.debian.org
Subject: Re: [pkg-uWSGI-devel] Bug#891639: uwsgi: diff for NMU version 2.0.15-10.4
Date: Sat, 17 Mar 2018 10:06:22 +0100
Hi Jonas,

On Sat, Mar 17, 2018 at 10:00:55AM +0100, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2018-03-17 09:36:09)
> > Control: tags 891639 + patch
> > Control: tags 891639 + pending
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for uwsgi (versioned as 2.0.15-10.4) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> Thanks a lot!
> 
> No need to delay at all - you may upload without delay, at any time: 
> https://wiki.debian.org/LowThresholdNmu

Ack, thanks. Question: you want here to first enter -10.3 testing as
it fixes an RC bug? or I can upload uwsgi's -10.4 NMU as high so that
it would have entered at nearly same time for testing.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>:
Bug#891639; Package src:uwsgi. (Sat, 17 Mar 2018 09:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>. (Sat, 17 Mar 2018 09:54:05 GMT) (full text, mbox, link).

Message #29 received at 891639@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <jonas@jones.dk>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 891639@bugs.debian.org
Subject: Re: [pkg-uWSGI-devel] Bug#891639: uwsgi: diff for NMU version 2.0.15-10.4
Date: Sat, 17 Mar 2018 10:52:23 +0100
[Message part 1 (text/plain, inline)]
Quoting Salvatore Bonaccorso (2018-03-17 10:06:22)
> On Sat, Mar 17, 2018 at 10:00:55AM +0100, Jonas Smedegaard wrote:
> > Quoting Salvatore Bonaccorso (2018-03-17 09:36:09)
> > > Control: tags 891639 + patch
> > > Control: tags 891639 + pending
> > > 
> > > Dear maintainer,
> > > 
> > > I've prepared an NMU for uwsgi (versioned as 2.0.15-10.4) and
> > > uploaded it to DELAYED/5. Please feel free to tell me if I
> > > should delay it longer.
> > 
> > Thanks a lot!
> > 
> > No need to delay at all - you may upload without delay, at any time: 
> > https://wiki.debian.org/LowThresholdNmu
> 
> Ack, thanks. Question: you want here to first enter -10.3 testing as
> it fixes an RC bug? or I can upload uwsgi's -10.4 NMU as high so that
> it would have entered at nearly same time for testing.

I trust your judgement on whether it makes better sense to speedup 
transition to testing or not.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 17 Mar 2018 21:48:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 17 Mar 2018 21:48:10 GMT) (full text, mbox, link).

Message #34 received at 891639-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 891639-close@bugs.debian.org
Subject: Bug#891639: fixed in uwsgi 2.0.7-1+deb8u2
Date: Sat, 17 Mar 2018 21:46:18 +0000
Source: uwsgi
Source-Version: 2.0.7-1+deb8u2

We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891639@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated uwsgi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Mar 2018 09:37:01 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-core uwsgi-emperor uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 uwsgi-plugin-greenlet-python uwsgi-plugin-jvm-openjdk-7 uwsgi-plugin-jwsgi-openjdk-7 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 uwsgi-plugin-lua5.2 uwsgi-plugin-luajit uwsgi-plugin-psgi uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.1 uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-v8 uwsgi-plugin-php uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators python3-uwsgidecorators uwsgi-extra
Architecture: all source
Version: 2.0.7-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Janos Guljas <janos@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 889753 891639
Description: 
 libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
 libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
 libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
 libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
 libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
 libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
 python-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 2)
 python3-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 3)
 uwsgi      - fast, self-healing application container server
 uwsgi-app-integration-plugins - plugins for integration of uWSGI and application
 uwsgi-core - fast, self-healing application container server (core)
 uwsgi-dbg  - debugging symbols for uWSGI server and it's plugins
 uwsgi-emperor - fast, self-healing application container server (emperor scripts)
 uwsgi-extra - fast, self-healing application container server (extra files)
 uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
 uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
 uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
 uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
 uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
 uwsgi-plugin-fiber - Fiber plugin for uWSGI
 uwsgi-plugin-geoip - GeoIP plugin for uWSGI
 uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
 uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
 uwsgi-plugin-jvm-openjdk-7 - Java plugin for uWSGI (OpenJDK 7)
 uwsgi-plugin-jwsgi-openjdk-7 - JWSGI plugin for uWSGI (OpenJDK 7)
 uwsgi-plugin-ldap - LDAP plugin for uWSGI
 uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
 uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
 uwsgi-plugin-luajit - Lua WSAPI plugin for uWSGI (LuaJIT)
 uwsgi-plugin-php - PHP plugin for uWSGI
 uwsgi-plugin-psgi - Perl PSGI and Coro::AnyEvent plugins for uWSGI
 uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
 uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
 uwsgi-plugin-rack-ruby2.1 - Rack plugin for uWSGI (${uwsgi:RubyKind})
 uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
 uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI (${uwsgi:RubyDefaultkind})
 uwsgi-plugin-router-access - Access router plugin for uWSGI
 uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
 uwsgi-plugin-v8 - JavaScript V8 plugin for uWSGI
 uwsgi-plugin-xslt - XSLT request plugin for uWSGI
 uwsgi-plugins-all - all available plugins for uWSGI
Changes:
 uwsgi (2.0.7-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
     (Closes: #889753)
   * enforce php default document_root behaviour, to not show external files
     (CVE-2018-7490) (Closes: #891639)
Checksums-Sha1: 
 2202948e8f7896e5807af6e14ba99f14da9440c3 6460 uwsgi_2.0.7-1+deb8u2.dsc
 0e9d1f881736674221d60a5dd5dfcbc25051d48b 772385 uwsgi_2.0.7.orig.tar.gz
 f9e205211a8338198a61d6674401b85f0203f019 43880 uwsgi_2.0.7-1+deb8u2.debian.tar.xz
 d1faf9977b12fe76605ac37612548d8a661f307f 24086 python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 3ed8387fd5da00752da3d234e2162366fd57aaa7 24232 python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 061b57e93494ac65519088c2e3ed72743756c03c 38722 uwsgi-extra_2.0.7-1+deb8u2_all.deb
Checksums-Sha256: 
 d3778942a02468db6d9222eef43f789dfe32af6b71951afa865c2e0484887555 6460 uwsgi_2.0.7-1+deb8u2.dsc
 2938464d0277909854f55951cf7d114e0616efbd8dd0295da7da99e944cbc72a 772385 uwsgi_2.0.7.orig.tar.gz
 94bf1a313e42d641e2e4281fd5908618ddffae141a45345a09adba13f4ae327c 43880 uwsgi_2.0.7-1+deb8u2.debian.tar.xz
 8ea69d10929ad0dab545df0cb58d9ec0ff1ad8b96e2af0a5e7606992f932e070 24086 python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 5af80417b95cbcb8a1c6388b16c9526b4900e59642b26812292574fed9a148d4 24232 python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 97de3106672087332dc70013cb5892d40a9da061ac38ea47a54b11d5faf698d9 38722 uwsgi-extra_2.0.7-1+deb8u2_all.deb
Files: 
 7432368f3243739171098119ae40e733 6460 web extra uwsgi_2.0.7-1+deb8u2.dsc
 c18da6536f2f47a204814225ba695042 772385 web extra uwsgi_2.0.7.orig.tar.gz
 9b94bf2f6a31e9bddf7b55a7d0be7787 43880 web extra uwsgi_2.0.7-1+deb8u2.debian.tar.xz
 a0cff23a472f9ff01e6a64e8f174c550 24086 python extra python-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 8d123dd0b9f1d74ab5a92860e0cd8991 24232 python extra python3-uwsgidecorators_2.0.7-1+deb8u2_all.deb
 70a95dddbc3cdc05e59712acaee62bf9 38722 web extra uwsgi-extra_2.0.7-1+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqs1mxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EylIP/285QN0bP7zVylFqCiRmGacntQyJlqVQ
8Ha/WuJhOQaSirUwv4noyLLCyM+dmyZej7neYCvu45DiD5rbCAW9z2PApBkl6xHn
AhTFNjryC5a1Dz5+v7igqaAb23DPsbuCvqYTw+HtojUZ2TAhlb49ep0CCW7Kfd4D
hRTyYuBP9tvmCTdapm73UqJbVuuV1ZwPyt0wZchaQ0EtXudQSN3AVEc2JqpK2zy7
OQlBJAJdNr/1B7e0zREknS2uP4KEWinohEMKiBoerEvXYNftFGK0yOUBZzRuUxup
ZAP8UUbF2ecZgD0kYlnFUnnA6WgxIEXlhno31flZng0CiDca6P1dKaV8V6hi5rmz
/X/VCZwoeX4rtxM+9s8MTcRiJ47bKtwdCr4gw4XDoOlprHfqjGNYa6x5WpmOPVCr
8nLVHEBzoBhWH27BTsgqyAg16IM4TnBZTcMR9O/rf/KX8NovuBCMVEU5OnHeKJbb
sur227s37x9qr68YFLpVToF4i9D0wPtjPBgwN1LExcYOHy9OlZ0LchJfgg+w64cq
SJ5bzwwYhIwLeUHv9s2fVeVVjDeG0QatIH7Gkppbq+hLHSWSIPq7P2MiViIOZj4v
jICNgt+aoBiYAMHbglrXxFHIeKxyRk0PyfX916BQgWXYSyZZSFQTwQ70HEPvzFPB
TVcH1RIa8Smq
=AUyC
-----END PGP SIGNATURE-----

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 18 Mar 2018 07:51:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 18 Mar 2018 07:51:09 GMT) (full text, mbox, link).

Message #39 received at 891639-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 891639-close@bugs.debian.org
Subject: Bug#891639: fixed in uwsgi 2.0.15-10.4
Date: Sun, 18 Mar 2018 07:50:18 +0000
Source: uwsgi
Source-Version: 2.0.15-10.4

We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891639@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated uwsgi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Mar 2018 09:21:22 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-src uwsgi-dev uwsgi-core uwsgi-emperor uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-glusterfs uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 uwsgi-plugin-gevent-python uwsgi-plugin-greenlet-python uwsgi-plugin-asyncio-python uwsgi-plugin-asyncio-python3 uwsgi-plugin-tornado-python uwsgi-plugin-gccgo uwsgi-plugin-jvm-openjdk-8 uwsgi-plugin-jwsgi-openjdk-8 uwsgi-plugin-ring-openjdk-8 uwsgi-plugin-servlet-openjdk-8 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 uwsgi-plugin-lua5.2 uwsgi-plugin-mono uwsgi-plugin-psgi uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.5 uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg
 libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators python3-uwsgidecorators
 uwsgi-extra
Architecture: source
Version: 2.0.15-10.4
Distribution: unstable
Urgency: medium
Maintainer: uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 891639
Description: 
 libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
 libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
 libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
 libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
 libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
 libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
 python-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 2)
 python3-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 3)
 uwsgi      - fast, self-healing application container server
 uwsgi-app-integration-plugins - plugins for integration of uWSGI and application
 uwsgi-core - fast, self-healing application container server (core)
 uwsgi-dbg  - debugging symbols for uWSGI server and it's plugins
 uwsgi-dev  - fast, self-healing application container server (headers)
 uwsgi-emperor - fast, self-healing application container server (emperor scripts)
 uwsgi-extra - fast, self-healing application container server (extra files)
 uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
 uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
 uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
 uwsgi-plugin-asyncio-python - asyncio plugin for uWSGI (Python 2)
 uwsgi-plugin-asyncio-python3 - asyncio plugin for uWSGI (Python 3)
 uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
 uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
 uwsgi-plugin-fiber - Fiber plugin for uWSGI
 uwsgi-plugin-gccgo - GNU Go plugin for uWSGI
 uwsgi-plugin-geoip - GeoIP plugin for uWSGI
 uwsgi-plugin-gevent-python - gevent plugin for uWSGI (Python 2)
 uwsgi-plugin-glusterfs - GlusterFS storage plugin for uWSGI
 uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
 uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
 uwsgi-plugin-jvm-openjdk-8 - Java plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-jwsgi-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-ldap - LDAP plugin for uWSGI
 uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
 uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
 uwsgi-plugin-mono - Mono/ASP.NET plugin for uWSGI
 uwsgi-plugin-psgi - Perl PSGI plugin for uWSGI
 uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
 uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
 uwsgi-plugin-rack-ruby2.5 - Rack plugin for uWSGI ()
 uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
 uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI ()
 uwsgi-plugin-ring-openjdk-8 - Closure/Ring plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-router-access - Access router plugin for uWSGI
 uwsgi-plugin-servlet-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
 uwsgi-plugin-tornado-python - tornado plugin for uWSGI (Python 2)
 uwsgi-plugin-xslt - XSLT request plugin for uWSGI
 uwsgi-plugins-all - all available plugins for uWSGI
 uwsgi-src  - sources for uWSGI plugins
Changes:
 uwsgi (2.0.15-10.4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * enforce php default document_root behaviour, to not show external files
     (CVE-2018-7490) (Closes: #891639)
Checksums-Sha1: 
 b35edb9c0f0441112520e8f7ba9a28b58bddc776 8121 uwsgi_2.0.15-10.4.dsc
 ba4ed3305ce74012fd6be50ad0af4d6015274546 55420 uwsgi_2.0.15-10.4.debian.tar.xz
Checksums-Sha256: 
 b5334f83821d5eb47d953ef90eb4b243f2ed5c8397a179554e29455bf0a09c6e 8121 uwsgi_2.0.15-10.4.dsc
 c426629a43295c1e6d4555a8ac3dd35bf2926e44b325174552ebe57217ebb035 55420 uwsgi_2.0.15-10.4.debian.tar.xz
Files: 
 b511a4db46f187773b2e0835f265d128 8121 httpd optional uwsgi_2.0.15-10.4.dsc
 9c032835a69f8d8dbd81c61818d56670 55420 httpd optional uwsgi_2.0.15-10.4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqs0zFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmIgP/A6flXshOFQ3TyExzz4bzyiWQ6KhpLrt
izA6ZUgB4Vx5SCo+5gNdMrWhO2i7QcZDSzDciF2oF09wuggHJA6yaE3zoDhX4+UM
P6AH+AShio11dd2KpiW3uAyxA4HOUscjiwgelCI7G3zULPqwxAHQQgDPErCwkE4r
2JQBsMJ6sAtuRSXC3XR/clS78gVkg+QndIwpJ1VD7k+ZzsEW9sT/ZC5bn25qE+qs
hFrW4iALFmAJZLE0l0upuaiONV+yCqAgiRLm3XZQK/H/2Cd4GIRIi/7ci6bKwkVe
TSmgdrYJergniKyqaCkLSWrEKGdaV/Pzqy6b22djM3ggOqEwXD8Gh+hiKBfcvTHG
+znDNOMkdUzv4vqCebJLVD8MLoBFdayllyQxpe+Rf/mAbwjRqGyXqfjAuFOdHEMc
zGFB9Dgo14rZrcY64B18tMM/Xj9bpXbFjSncjM4gcKCIf5FfURSvv0sh+deKM/RR
96WL5kXxMMdWut5kOGaxgKmaAIVYmeduiYgsIRurioUfCeH8bxIT4ioK5sjG5Xvi
K+RosgoIsi+gbTjbhPzX1EVgMWqeaab7zk46ndHVR3wPGxLL55a+7QnPLxejlTVl
ZrYgt1a9Iym/ZpK8sh4Hyu1t+OFU9S3deQuoVK9IV6u9oaoE6EFRJGy4nD3neEXT
dkbTwe2/eLhZ
=7JPO
-----END PGP SIGNATURE-----

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 18 Mar 2018 13:21:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 18 Mar 2018 13:21:09 GMT) (full text, mbox, link).

Message #44 received at 891639-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 891639-close@bugs.debian.org
Subject: Bug#891639: fixed in uwsgi 2.0.14+20161117-3+deb9u2
Date: Sun, 18 Mar 2018 13:18:43 +0000
Source: uwsgi
Source-Version: 2.0.14+20161117-3+deb9u2

We believe that the bug you reported is fixed in the latest version of
uwsgi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891639@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated uwsgi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Mar 2018 09:05:43 +0100
Source: uwsgi
Binary: uwsgi uwsgi-dbg uwsgi-src uwsgi-core uwsgi-emperor uwsgi-plugins-all uwsgi-infrastructure-plugins uwsgi-app-integration-plugins uwsgi-mongodb-plugins uwsgi-plugin-alarm-curl uwsgi-plugin-alarm-xmpp uwsgi-plugin-curl-cron uwsgi-plugin-emperor-pg uwsgi-plugin-glusterfs uwsgi-plugin-rados uwsgi-plugin-rbthreads uwsgi-plugin-fiber uwsgi-plugin-geoip uwsgi-plugin-graylog2 uwsgi-plugin-gevent-python uwsgi-plugin-greenlet-python uwsgi-plugin-asyncio-python uwsgi-plugin-asyncio-python3 uwsgi-plugin-tornado-python uwsgi-plugin-gccgo uwsgi-plugin-jvm-openjdk-8 uwsgi-plugin-jwsgi-openjdk-8 uwsgi-plugin-ring-openjdk-8 uwsgi-plugin-servlet-openjdk-8 uwsgi-plugin-ldap uwsgi-plugin-lua5.1 uwsgi-plugin-lua5.2 uwsgi-plugin-luajit uwsgi-plugin-mono uwsgi-plugin-psgi uwsgi-plugin-python uwsgi-plugin-python3 uwsgi-plugin-rack-ruby2.3 uwsgi-plugin-router-access uwsgi-plugin-sqlite3 uwsgi-plugin-v8 uwsgi-plugin-php uwsgi-plugin-xslt libapache2-mod-proxy-uwsgi
 libapache2-mod-proxy-uwsgi-dbg libapache2-mod-uwsgi libapache2-mod-uwsgi-dbg libapache2-mod-ruwsgi libapache2-mod-ruwsgi-dbg python-uwsgidecorators python3-uwsgidecorators
 uwsgi-extra
Architecture: source
Version: 2.0.14+20161117-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: uWSGI packaging team <pkg-uwsgi-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 891639
Description: 
 libapache2-mod-proxy-uwsgi - uwsgi proxy module for Apache2 (mod_uwsgi)
 libapache2-mod-proxy-uwsgi-dbg - debugging symbols for Apache2 mod_proxy_uwsgi
 libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi)
 libapache2-mod-ruwsgi-dbg - debugging symbols for Apache2 mod_Ruwsgi
 libapache2-mod-uwsgi - uwsgi module for Apache2 (mod_uwsgi)
 libapache2-mod-uwsgi-dbg - debugging symbols for Apache2 mod_uwsgi
 python-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 2)
 python3-uwsgidecorators - module of decorators for elegant access to uWSGI API (Python 3)
 uwsgi      - fast, self-healing application container server
 uwsgi-app-integration-plugins - plugins for integration of uWSGI and application
 uwsgi-core - fast, self-healing application container server (core)
 uwsgi-dbg  - debugging symbols for uWSGI server and it's plugins
 uwsgi-emperor - fast, self-healing application container server (emperor scripts)
 uwsgi-extra - fast, self-healing application container server (extra files)
 uwsgi-infrastructure-plugins - infrastructure plugins for uWSGI
 uwsgi-mongodb-plugins - MongoDB/GridFS plugins for uWSGI
 uwsgi-plugin-alarm-curl - cURL alarm plugin for uWSGI
 uwsgi-plugin-alarm-xmpp - XMPP alarm plugin for uWSGI
 uwsgi-plugin-asyncio-python - asyncio plugin for uWSGI (Python 2)
 uwsgi-plugin-asyncio-python3 - asyncio plugin for uWSGI (Python 3)
 uwsgi-plugin-curl-cron - cron cURL plugin for uWSGI
 uwsgi-plugin-emperor-pg - Emperor PostgreSQL plugin for uWSGI
 uwsgi-plugin-fiber - Fiber plugin for uWSGI
 uwsgi-plugin-gccgo - GNU Go plugin for uWSGI
 uwsgi-plugin-geoip - GeoIP plugin for uWSGI
 uwsgi-plugin-gevent-python - gevent plugin for uWSGI (Python 2)
 uwsgi-plugin-glusterfs - GlusterFS storage plugin for uWSGI
 uwsgi-plugin-graylog2 - graylog2 plugin for uWSGI
 uwsgi-plugin-greenlet-python - greenlet plugin for uWSGI (Python 2)
 uwsgi-plugin-jvm-openjdk-8 - Java plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-jwsgi-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-ldap - LDAP plugin for uWSGI
 uwsgi-plugin-lua5.1 - Lua WSAPI plugin for uWSGI (Lua 5.1)
 uwsgi-plugin-lua5.2 - Lua WSAPI plugin for uWSGI (Lua 5.2)
 uwsgi-plugin-luajit - Lua WSAPI plugin for uWSGI (LuaJIT)
 uwsgi-plugin-mono - Mono/ASP.NET plugin for uWSGI
 uwsgi-plugin-php - PHP plugin for uWSGI
 uwsgi-plugin-psgi - Perl PSGI plugin for uWSGI
 uwsgi-plugin-python - WSGI plugin for uWSGI (Python 2)
 uwsgi-plugin-python3 - WSGI plugin for uWSGI (Python 3)
 uwsgi-plugin-rack-ruby2.3 - Rack plugin for uWSGI (${uwsgi:RubyKind})
 uwsgi-plugin-rados - Ceph/RADOS storage plugin for uWSGI
 uwsgi-plugin-rbthreads - Ruby native threads plugin for uWSGI (${uwsgi:RubyDefaultkind})
 uwsgi-plugin-ring-openjdk-8 - Closure/Ring plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-router-access - Access router plugin for uWSGI
 uwsgi-plugin-servlet-openjdk-8 - JWSGI plugin for uWSGI (OpenJDK 8)
 uwsgi-plugin-sqlite3 - SQLite 3 configurations plugin for uWSGI
 uwsgi-plugin-tornado-python - tornado plugin for uWSGI (Python 2)
 uwsgi-plugin-v8 - JavaScript V8 plugin for uWSGI
 uwsgi-plugin-xslt - XSLT request plugin for uWSGI
 uwsgi-plugins-all - all available plugins for uWSGI
 uwsgi-src  - sources for uWSGI plugins
Changes:
 uwsgi (2.0.14+20161117-3+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * enforce php default document_root behaviour, to not show external files
     (CVE-2018-7490) (Closes: #891639)
Checksums-Sha1: 
 2a84a082023a2aaff48374e37ac37ca79f3f733e 9170 uwsgi_2.0.14+20161117-3+deb9u2.dsc
 6915ef28001147ce3aae405377efde07fc2ccd8b 789935 uwsgi_2.0.14+20161117.orig.tar.gz
 40f0b5fdd6d63f34d8b80a842d96dcf848cacefe 52780 uwsgi_2.0.14+20161117-3+deb9u2.debian.tar.xz
Checksums-Sha256: 
 b09e742d82010286864575a68a3044af0b6abb2980239627e3b161d974abea66 9170 uwsgi_2.0.14+20161117-3+deb9u2.dsc
 6000df9dedac39f41a919c6bfffbe43da302d34d42cc061b4ff4873c65a558ca 789935 uwsgi_2.0.14+20161117.orig.tar.gz
 39b602313e798c10a837d233fb27cd91297e63e644276dee35f518850ed958f0 52780 uwsgi_2.0.14+20161117-3+deb9u2.debian.tar.xz
Files: 
 5f8a3fcde6058dbb6a291c712d55661d 9170 web extra uwsgi_2.0.14+20161117-3+deb9u2.dsc
 8bcc0b9707dd5bb8106bce8f6715b7e6 789935 web extra uwsgi_2.0.14+20161117.orig.tar.gz
 c35ae46a80d97bcd1694f2312fa3ed5c 52780 web extra uwsgi_2.0.14+20161117-3+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsz4RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Er/cP/0BRT2eBRCMgeK4+Rw/lpbhsKDNC4o7t
gE/p/lSWo7gfDCdqOmplPEgEavVdKs09fkxEWkyVkDrFgxUHGYI9D/ORgtNFrSyJ
Z7NKuotx3hePQYbL0fr4nkGE0GmdVEJykuLSQIb3lljCOxxC7U264HegyZj+kJqf
V8wiUzSjMhnf4mFT37k1FEsV11lLnf052GAglQQeDArEjA/MjAV4CGNcsfKnbqdu
EjkBAmfBMi+TmUUe7x0ptdeDN8Es5WLIhFP6UHMCTpQaeMn52pdrD2b4MsPipsey
OjtwPjdytOZLEwmOOKgjrSbuMgkZ/2ggoMxFYOMpSFq/UkUNyJfIWW8gv8cx9S/m
/17iovvfg3gtfpBKG5C9nIhjxyThMW7JJslBtAJpQcNDpNyt/itmyso9yslRwrjY
UuLUUc0e6vqwE1CMOQowlr5+JICPZ16Lcddh4ACuVDpMvvHpc7S5rCza79m/jgVi
zGKvNM+u/mjr2d/73F5IgazDnoW1Yfp7bx/VcaHDtH2bWVxrwId3M3DZ0xveibtU
YFKX8wCFbFL5/ILTYmOSsTLmcDDRpcGbxxCNfe7o/ju+GG9ALab9OE+QwQ+xtDIO
cYbP/OH0y7iAMapk8G+GWZzCtBtfU68wkKBD6/9737+G0Xc7eSWK//ecHQ4JYCPo
L/mgOoqIh4R3
=sOP/
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 20 Apr 2018 07:28:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:51:04 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started