First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 135002
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 135002 depends on: 147393 Show dependency tree
Bug 135002 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-05-31 02:04 0000 
A missing check in mod_mono path canonicalization allows disclosure of
arbitrary files when relative path names are used in a HTTP request. As
a result any local file, accessible to the user running Apache, can be
viewed by the attacker.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-06-13 02:48:14 0000 ------- 
ramereth please provide fixed ebuilds, thanks

------- Comment #2 From Lance Albertson 2006-06-13 19:43:28 0000 ------- 
Do you want this patch applied to all the ebuilds, or is there a current
version that has this fix? I'm in desperate need of bumping this ebuild
anyways, just hadn't gotten to it.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-06-14 02:30:18 0000 ------- 
I guess a new revision with the patch applied should be fine.

------- Comment #4 From Thierry Carrez (RETIRED) 2006-07-29 05:52:18 0000 ------- 
Lance, are you with us ?

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-09-05 06:01:03 0000 ------- 
Lance any news on this one?

------- Comment #6 From Lance Albertson 2006-09-08 07:58:25 0000 ------- 
(In reply to comment #5)
> Lance any news on this one?
> 

Sigh, I've been extremely busy with work/life lately and haven't been able to
get to this. See if someone from the dotnet group can take care of it until I
can find time. Sorry about that.

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-09-08 10:19:23 0000 ------- 
Thx Lance. Back to ebuild status.

------- Comment #8 From Jakub Moc (RETIRED) 2006-09-13 00:30:33 0000 ------- 
FWIW, there are ebuilds for 1.1.16.1 in Bug 147393, some dotnet folks could
checks them out. ;)

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-09-19 00:29:31 0000 ------- 
No response from herd, perhaps we should get this one masked?

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-09-26 09:19:30 0000 ------- 
Security/dotnet should we mask or bump?

------- Comment #11 From Thierry Carrez (RETIRED) 2006-09-27 12:54:37 0000 ------- 
I would mask it if they don't bump it very soon

------- Comment #12 From Matthias Geerdsen 2006-09-29 04:52:03 0000 ------- 
CC'ing apache since they are listed in metadata too

someone pls patch/bump

otherwise i agree that it should get masked soon

------- Comment #13 From Michael Stewart (vericgar) (RETIRED) 2006-09-29 16:49:15 0000 ------- 
I would bump, but the depends are too heafty for me to test this and I have no
desire of putting the mono/dotnet stack on my system.

This package is not stable on any arch, I'm for package.mask.

------- Comment #14 From Matthias Geerdsen 2006-10-11 05:28:08 0000 ------- 
10 more days passed without reaction

someone with commit rights, pls mask this package refering to the security
issue in this bug

------- Comment #15 From Chris White (RETIRED) 2006-10-19 07:35:14 0000 ------- 
Commited to package.mask

------- Comment #16 From Jurek Bartuszek 2006-10-27 08:16:44 0000 ------- 
This bug does not affect any newer xsp versions. The older xsp-1.0.x ebuilds
have been removed from the tree recently and 1.1.10-r1 was bumped to -r2 which
now contains the proper patch. Therefore I'm closing this bug. Thanks!
First Last Prev Next    No search results available      Search page      Enter new bug