Debian Bug report logs - #526258
CVE-2009-1339: CSRF Vulnerability with Image Tag

version graph

Package: twiki; Maintainer for twiki is (unknown);

Reported by: Olivier Berger <olivier.berger@it-sudparis.eu>

Date: Thu, 30 Apr 2009 07:48:02 UTC

Severity: grave

Tags: security

Found in version twiki/1:4.0.5-9.1etch1

Fixed in version 1:4.1.2-5+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Sven Dowideit <svenud@ozemail.com.au>:
Bug#526258; Package twiki. (Thu, 30 Apr 2009 07:48:04 GMT) (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Sven Dowideit <svenud@ozemail.com.au>. (Thu, 30 Apr 2009 07:48:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-1339: CSRF Vulnerability with Image Tag
Date: Thu, 30 Apr 2009 09:46:34 +0200
Package: twiki
Version: 1:4.0.5-9.1etch1
Severity: grave
Tags: security
Justification: user security hole

FYI, Twiki in oldstable is affected by a security vulnerability : http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2009-1339

AFAIK, there's no patch available for old versions.

Best regards,


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-proposed-updates')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages twiki depends on:
ii  apache2.2-common             2.2.11-3    Apache HTTP Server common files
ii  debconf [debconf-2.0]        1.5.26      Debian configuration management sy
pn  libalgorithm-diff-perl       <none>      (no description available)
ii  libcgi-session-perl          4.41-1      persistent session data in CGI app
ii  libdigest-sha1-perl          2.11-2+b1   NIST SHA-1 message digest algorith
ii  liberror-perl                0.17-1      Perl module for error/exception ha
ii  libhtml-parser-perl          3.60-1      collection of modules that parse H
pn  liblocale-maketext-lexicon-p <none>      (no description available)
pn  libtext-diff-perl            <none>      (no description available)
ii  liburi-perl                  1.37+dfsg-1 Manipulates and accesses URI strin
ii  perl [libmime-base64-perl]   5.10.0-19   Larry Wall's Practical Extraction 
ii  perl-modules [libnet-perl]   5.10.0-19   Core Perl modules
ii  rcs                          5.7-24      The GNU Revision Control System

twiki recommends no packages.

Versions of packages twiki suggests:
pn  libunicode-maputf8-perl       <none>     (no description available)




Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. (Sun, 06 Dec 2009 11:00:52 GMT) (full text, mbox, link).


Notification sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Bug acknowledged by developer. (Sun, 06 Dec 2009 11:00:52 GMT) (full text, mbox, link).


Message #10 received at 526258-done@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 526258-done@bugs.debian.org
Subject: Package twiki has been removed from Debian
Date: Sun, 06 Dec 2009 10:50:11 +0000
Version: 1:4.1.2-5+rm

You filled the bug http://bugs.debian.org/526258 in Debian BTS
against the package twiki. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/559353. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Jan 2010 07:44:53 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:56:39 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.