[Pkg-mediawiki-devel] Bug#550940: Bug#550940: Mediawiki settings file world-readable

Jonathan Wiltshire jmw at debian.org
Mon Jul 4 21:52:43 UTC 2011


On Mon, Jul 04, 2011 at 11:35:29PM +0200, Nico Golde wrote:
> Hi,
> * Ian Jackson <ijackson at chiark.greenend.org.uk> [2011-07-04 13:00]:
> > Hi, security guys.  Would you care to take a look at #550940 ?  
> > I think this is the kind of security problem which should perhaps
> > warrant a DSA.
> > 
> > The maintainer's response (that this is fixed in a new upstream
> > version and therefore wouldn't be fixed in squeeze) seems
> > very surprising to me.

At the time, and in the context of a deep freeze, a new upstream into unstable
would have been most unwelcome. In 1.16 upwards, generation of
LocalSettings.php is apparantly completely overhauled and fixes this bug.

Unfortunately neither I nor the rest of the team have yet had chance to
package it.

> If yes, this should get a DSA.

If you think it necessary I would not object to a DSA, though at the time I
ranked it less urgent because it's at least documented, even if not
optimal.

> 
> Kind regards
> Nico
> -- 
> Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
> For security reasons, all text in this mail is double-rot13 encrypted.



-- 
Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20110704/2c517914/attachment.pgp>


More information about the Pkg-mediawiki-devel mailing list