[Pkg-mediawiki-devel] Bug#550940: Bug#550940: Mediawiki settings file world-readable

Nico Golde nion at debian.org
Tue Jul 5 18:17:40 UTC 2011

* Jonathan Wiltshire <jmw at debian.org> [2011-07-04 23:56]:
> On Mon, Jul 04, 2011 at 11:35:29PM +0200, Nico Golde wrote:
> > * Ian Jackson <ijackson at chiark.greenend.org.uk> [2011-07-04 13:00]:
> > > Hi, security guys.  Would you care to take a look at #550940 ?  
> > > I think this is the kind of security problem which should perhaps
> > > warrant a DSA.
> > > 
> > > The maintainer's response (that this is fixed in a new upstream
> > > version and therefore wouldn't be fixed in squeeze) seems
> > > very surprising to me.
> At the time, and in the context of a deep freeze, a new upstream into unstable
> would have been most unwelcome. In 1.16 upwards, generation of
> LocalSettings.php is apparantly completely overhauled and fixes this bug.
> Unfortunately neither I nor the rest of the team have yet had chance to
> package it.

Can you check back with upstream if they can provide a diff to fix this?

> > If yes, this should get a DSA.
> If you think it necessary I would not object to a DSA, though at the time I
> ranked it less urgent because it's at least documented, even if not
> optimal.

Can you point me to the place where this is documented?

Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20110705/bc71ef0a/attachment.pgp>

More information about the Pkg-mediawiki-devel mailing list