66395 – net-www/bugport: undisclosed security-related bug fix in 1.134

Bug 66395 - net-www/bugport: undisclosed security-related bug fix in 1.134

Summary: net-www/bugport: undisclosed security-related bug fix in 1.134

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High enhancement (vote)
Assignee:	Gentoo Security

URL:	http://www.incogen.com/index.php?type...
Whiteboard:	~? [] vorlon
Keywords:

Depends on:
Blocks:

Reported:	2004-10-05 02:21 UTC by Matthias Geerdsen (RETIRED)
Modified:	2011-10-30 22:39 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2004-10-05 02:21:05 UTC

http://www.incogen.com/index.php?type=General&param=bugport

 10/01/2004
A new version (1.134) was released with a very important, security-related bug fix.  It is highly recommended that all BugPort user's upgrade, especially if you allow non-trusted users to login to your BugPort site.  Thanks to Eduardo Correia for discovering the bug! 

Update Note: to upgrade and keep your existing config.php file, you will need to add a new $attachmentDirectory variable to the config.php file.  See the sample config.php file included in the tar file as an example.  You will then need to move all dirs/files from your existing bugport/files/ directory into your new attachments directory.

__________________________________________

Secunia advisory 12730 can be found at
http://secunia.com/advisories/12730/
__________________________________________

current KEYWORDS="~x86 ~ppc"
so no GLSA needed

jmglov pls bump the ebuild to 1.134, thanks

Comment 1 Marc Vila 2004-10-06 00:10:31 UTC

xforce advisory @ http://xforce.iss.net/xforce/xfdb/17587

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2004-10-07 01:59:12 UTC

web-apps, haven't heard anything of jmglov, could one of you please look into this and bump the ebuild

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2004-10-09 13:43:35 UTC

changed to ebuild+ since this bug is open for four days without any reaction now

wep-apps/jmglov, pls bump the ebuild

Comment 4 Stuart Herbert (RETIRED) gentoo-dev

2004-10-12 14:36:37 UTC

I've started looking at it.  bugport-1.135 doesn't seem to work out of the box, which isn't helping matters.

Best regards,
Stu

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2004-10-18 00:33:48 UTC

1.136 seems to be out now too
any progress on the new ebuild?

_____
The vulnerability seems to be somewhere in the handling of attached files.

http://securitytracker.com/alerts/2004/Oct/1011543.html
http://www.osvdb.org/10482

Comment 6 Stuart Herbert (RETIRED) gentoo-dev

2004-10-21 08:38:30 UTC

This version doesn't work out of the box either.

If no-one complains, I'm happy to mask this package.

Best regards,
Stu

Comment 7 Kurt Lieber (RETIRED) gentoo-dev

2004-10-22 04:54:34 UTC

hard-masked in portage.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2004-11-26 02:57:55 UTC

Markus: any success in your webapp-config learning ?

Please let us know if you still want to handle this package, for example by putting yourself in the metadata.xml file :)

Comment 9 Markus Nigbur (RETIRED) gentoo-dev

2004-11-26 14:58:00 UTC

Alright, enough testing. Submitted the newest version, removed the old one and the  package mask.

I also added a metadata stating me as maintainer.

Comment 10 Markus Nigbur (RETIRED) gentoo-dev

2004-11-26 15:13:02 UTC

err, security bug. Close after GLSA is send out.

Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev

2004-11-29 05:57:24 UTC

~arch masked, so no need for GLSA
thanks for taking this Markus

no GLSA needed, metadata.xml uptodate and vulnerable version removed -> closing