Debian Bug report logs -
#565406
ACL can be edited
Reported by: "Adrian Lang" <debian@adrianlang.de>
Date: Fri, 15 Jan 2010 14:18:02 UTC
Severity: serious
Tags: fixed-upstream, patch, security
Found in version dokuwiki/0.0.20080505-4
Fixed in versions dokuwiki/0.0.20090214b-3.1, dokuwiki/0.0.20080505-4+lenny1
Done: Giuseppe Iuculano <iuculano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mohammed Adnène Trojette <adn+deb@diwi.org>:
Bug#565406; Package dokuwiki.
(Fri, 15 Jan 2010 14:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adrian Lang" <debian@adrianlang.de>:
New Bug report received and forwarded. Copy sent to Mohammed Adnène Trojette <adn+deb@diwi.org>.
(Fri, 15 Jan 2010 14:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dokuwiki
Version: 0.0.20080505-4
Tags: security, patch, fixed-upstream
Severity: serious
A major security problem allows to edit the ACL, thus gaining access to a closed wiki. See
[bugtracker] for description and patch. The problem is fixed in version 2009-12-25b, I’ll upload a
package for this version to [mentors] in a few hours.
Regards,
Adrian Lang
[bugtracker] http://bugs.splitbrain.org/index.php?do=details&task_id=1847 [mentors]
http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=dokuwiki
Information forwarded
to debian-bugs-dist@lists.debian.org, Mohammed Adnène Trojette <adn+deb@diwi.org>:
Bug#565406; Package dokuwiki.
(Sun, 17 Jan 2010 13:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Mohammed Adnène Trojette <adn+deb@diwi.org>.
(Sun, 17 Jan 2010 13:57:06 GMT) (full text, mbox, link).
Message #10 received at 565406@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is a debdiff of the changes I made for 0.0.20090214b-3.1 0-day NMU.
Cheers,
Giuseppe
[dokuwiki_0.0.20090214b-3.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Sun, 17 Jan 2010 15:51:15 GMT) (full text, mbox, link).
Notification sent
to "Adrian Lang" <debian@adrianlang.de>:
Bug acknowledged by developer.
(Sun, 17 Jan 2010 15:51:15 GMT) (full text, mbox, link).
Message #15 received at 565406-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20090214b-3.1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive:
dokuwiki_0.0.20090214b-3.1.diff.gz
to main/d/dokuwiki/dokuwiki_0.0.20090214b-3.1.diff.gz
dokuwiki_0.0.20090214b-3.1.dsc
to main/d/dokuwiki/dokuwiki_0.0.20090214b-3.1.dsc
dokuwiki_0.0.20090214b-3.1_all.deb
to main/d/dokuwiki/dokuwiki_0.0.20090214b-3.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 565406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 17 Jan 2010 14:47:41 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20090214b-3.1
Distribution: unstable
Urgency: high
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
dokuwiki - standards compliant simple to use wiki
Closes: 565406
Changes:
dokuwiki (0.0.20090214b-3.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Check against cross-site request forgeries (CSRF)
* Fixed multiple vulnerabilities in ACL plugin (Closes: #565406)
Checksums-Sha1:
4e1c53c33135dbe51677a00bd526a501dab25e12 1091 dokuwiki_0.0.20090214b-3.1.dsc
7610ebdca9fa608dccd97833426b6b99b31916e6 34552 dokuwiki_0.0.20090214b-3.1.diff.gz
931248b51c066fda40d5f55e36b3dee0e1ffb77d 1416348 dokuwiki_0.0.20090214b-3.1_all.deb
Checksums-Sha256:
3bea65978c68789ac6d6214875d9986475bd1cdf6194c48d7a8e153e62837014 1091 dokuwiki_0.0.20090214b-3.1.dsc
c810ec763cf73397260a026a8171e855d80930ddd89308e032aa40debacf3eea 34552 dokuwiki_0.0.20090214b-3.1.diff.gz
d9c47709700621414d9193c2936066a1837a24e2481e84046dd08eca8495fb00 1416348 dokuwiki_0.0.20090214b-3.1_all.deb
Files:
774b1dcf3e7bba9c76eb594fb2e8fcca 1091 web optional dokuwiki_0.0.20090214b-3.1.dsc
838b1666c61380ee1d45e3a1c262be70 34552 web optional dokuwiki_0.0.20090214b-3.1.diff.gz
43d7ddc81bb9d1c68a7d00b4f1b94854 1416348 web optional dokuwiki_0.0.20090214b-3.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktTFbEACgkQNxpp46476arB3gCeIUR6JnDiSqbbKUK+eNmNk774
yMUAn0hCr51nfs+WH2o48gB+rs18dmKI
=SMBh
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#565406; Package dokuwiki.
(Sun, 17 Jan 2010 23:39:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Mohammed Adnène Trojette <adn+deb@diwi.org>:
Extra info received and forwarded to list.
(Sun, 17 Jan 2010 23:39:10 GMT) (full text, mbox, link).
Message #20 received at 565406@bugs.debian.org (full text, mbox, reply):
On Sun, Jan 17, 2010, Giuseppe Iuculano wrote:
> Attached is a debdiff of the changes I made for 0.0.20090214b-3.1 0-day NMU.
Thanks.
--
Mohammed Adnène Trojette
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Fri, 22 Jan 2010 19:57:09 GMT) (full text, mbox, link).
Notification sent
to "Adrian Lang" <debian@adrianlang.de>:
Bug acknowledged by developer.
(Fri, 22 Jan 2010 19:57:09 GMT) (full text, mbox, link).
Message #25 received at 565406-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20080505-4+lenny1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive:
dokuwiki_0.0.20080505-4+lenny1.diff.gz
to main/d/dokuwiki/dokuwiki_0.0.20080505-4+lenny1.diff.gz
dokuwiki_0.0.20080505-4+lenny1.dsc
to main/d/dokuwiki/dokuwiki_0.0.20080505-4+lenny1.dsc
dokuwiki_0.0.20080505-4+lenny1_all.deb
to main/d/dokuwiki/dokuwiki_0.0.20080505-4+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 565406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 22 Jan 2010 15:57:35 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20080505-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
dokuwiki - standards compliant simple to use wiki
Closes: 565406
Changes:
dokuwiki (0.0.20080505-4+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-0287, CVE-2010-0288, CVE-2010-0289 (Closes: #565406)
Checksums-Sha1:
95f322e7d9068b4d60c2468488be1d9e78fb0b37 1104 dokuwiki_0.0.20080505-4+lenny1.dsc
8e874ec8e7b223b917fec4835387d98204d99f49 1430707 dokuwiki_0.0.20080505.orig.tar.gz
e3382984ec64098907ac15667472849b91391435 34110 dokuwiki_0.0.20080505-4+lenny1.diff.gz
c0df30648e9e760071ec3a266c190bd6df496547 1481684 dokuwiki_0.0.20080505-4+lenny1_all.deb
Checksums-Sha256:
c4425c6918edee64ad868a7839c20623ebd6915dc305bb875b294ad3d6f01802 1104 dokuwiki_0.0.20080505-4+lenny1.dsc
30aa5fb52a687a04409d6f938bbf1337bb68437eba9aac363b5e01d19855121c 1430707 dokuwiki_0.0.20080505.orig.tar.gz
3d8f90c71e92f61c505497679334e647346ebdcdec06a3db2a7955c8e86d344d 34110 dokuwiki_0.0.20080505-4+lenny1.diff.gz
cafad89c64d3672a21509724eff706dfb22f5bce1ab8f89e979ca557883cf776 1481684 dokuwiki_0.0.20080505-4+lenny1_all.deb
Files:
87bff5f8b651532561c5c6b0454ef37a 1104 web optional dokuwiki_0.0.20080505-4+lenny1.dsc
1a70a2ab847b704b629cbbe212ce9a00 1430707 web optional dokuwiki_0.0.20080505.orig.tar.gz
0dc35149b193e911eec750841a139506 34110 web optional dokuwiki_0.0.20080505-4+lenny1.diff.gz
605eb57368b9eec17cb48b6cbdcf1d0b 1481684 web optional dokuwiki_0.0.20080505-4+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktZwR8ACgkQNxpp46476aqaMgCgnzB/ETC2DcEHYJFZbkw1xOo+
ksMAn2imb4UzsmxYi0qCBhl7fZ0busrP
=rdu2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 20 Feb 2010 07:27:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:09:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon