Fwd: security bugfix in PET r743
gregor herrmann
gregoa at debian.org
Thu Sep 3 20:25:51 UTC 2009
On Thu, 03 Sep 2009 12:23:28 +0200, Holger Levsen wrote:
> > I saw you were owners of PET installations in alioth, so please see
> > this mail below.
> I had no idea I was?!
I hope you like the good news :)
> > If you happen to run a PET instance that is not automatically synched
> > with the main Subversion repository, please take the necessary steps
> > to secure it.
> what do I have to do?
TBH, I'm also always a bit confused about which PET installations are
updated automatically and how.
What I see is /srv/alioth.debian.org/chroot/home/groups/pet/PET/debian-edu
which probably means that the debian-edu installation is
auto-updated, and I don't see anything PET-related in
/home/groups/debian-edu.
*a bit later*
Oh, but, OTOH:
$ ll /home/groups/debian-edu/qa
total 68
-rw-r--r-- 1 holger debian-edu 796 2007-11-08 12:23 commoncheck
-rw-r--r-- 1 holger debian-edu 1450 2007-11-08 18:47 DebianEdu.conf
drwxr-sr-x 3 holger debian-edu 4096 2007-11-08 18:45 DebianQA
-rw-r--r-- 1 holger debian-edu 1395 2007-11-08 12:23 DebianQA.conf-sample
-rwxr-xr-x 1 holger debian-edu 3770 2007-11-08 12:23 fetchdata
-rw-r--r-- 1 holger debian-edu 73 2007-11-08 12:23 htaccess
-rwxr-xr-x 1 holger debian-edu 507 2007-11-08 12:23 maintainercheck
drwxr-sr-x 3 holger debian-edu 4096 2007-11-08 12:23 oldscripts
-rwxr-xr-x 1 holger debian-edu 4787 2007-11-08 12:23 packagecheck
-rwxr-xr-x 1 holger debian-edu 3482 2007-11-08 12:23 qareport
-rwxr-xr-x 1 holger debian-edu 4788 2007-11-08 18:44 qareport.cgi
-rw-r--r-- 1 holger debian-edu 4533 2007-11-08 18:44 README
drwxr-sr-x 3 holger debian-edu 4096 2007-11-08 18:44 templates
-rwxr-xr-x 1 holger debian-edu 667 2007-11-08 12:23 wnppcheck
$ ll /home/groups/debian-edu/qa/DebianQA
total 64
-rw-r--r-- 1 holger debian-edu 6763 2007-11-08 12:23 Archive.pm
-rw-r--r-- 1 holger debian-edu 4093 2007-11-08 12:23 BTS.pm
-rw-r--r-- 1 holger debian-edu 7124 2007-11-08 12:23 Cache.pm
-rw-r--r-- 1 holger debian-edu 1005 2007-11-08 12:23 Common.pm
-rw-r--r-- 1 holger debian-edu 4370 2007-11-08 12:23 Config.pm
-rw-r--r-- 1 holger debian-edu 2377 2007-11-08 12:23 DebVersions.pm
-rw-r--r-- 1 holger debian-edu 10390 2007-11-08 12:51 Svn.pm
-rw-r--r-- 1 holger debian-edu 12338 2007-11-08 18:44 Watch.pm
$ ll /home/groups/debian-edu/cgi-bin/qareport.cgi
lrwxrwxrwx 1 holger debian-edu 18 2007-11-08 13:00 /home/groups/debian-edu/cgi-bin/qareport.cgi -> ../qa/qareport.cgi
DebianQA was the first name of PET, and it seems that some 'holger'
has installed it almost two years ago :)
(And some non-PET scripts in qa/ are also from the pk-perl group from
years ago.)
And http://debian-edu.alioth.debian.org/cgi-bin/qareport.cgi still
works! (Even with my very ugly 'lightsalmon' and 'lightseagreen'
colours in the CSS that only survived a few days.)
/srv/alioth.debian.org/chroot/home/groups/debian-edu/qa/DebianQA/Watch.pm
indeed contains the vulnerability that was (tried to) address in the
patch Tincho mentioned.
If you don't use it (which I assume since the version is ancient and
manually installed, and you don't remember it) I suppose to just rm
the qa/ directory.
(Tincho will surely feed in details in case I'm missing something.)
Cheers,
gregor
--
.''`. http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
`- NP: Arlo Guthrie & Pete Seeger: Arlo Guthrie - Amazing Grace
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pet-devel/attachments/20090903/074587c4/attachment.pgp>
More information about the PET-devel
mailing list