[Pkg-monitoring-maintainers] Bug#683584: security update ready for squeeze (3.1.8)
Daniel Pocock
daniel at pocock.com.au
Sat Jan 19 10:22:47 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 19/01/13 10:09, Salvatore Bonaccorso wrote:
> Hi Yves,
>
> On Mon, Jan 07, 2013 at 09:32:48PM +0100, Yves-Alexis Perez wrote:
>> On lun., 2013-01-07 at 09:11 +0100, Daniel Pocock wrote:
>>> On 07/01/13 07:27, Yves-Alexis Perez wrote:
>>>> On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote:
>>>>
>>>>> Yes, the 3.1.8 security fix from upstream has been packaged
>>>>> and has been waiting for security team to process through
>>>>> to the archive
>>>>>
>>>> Can you elaborate on that?
>>>>
>>>
>>>
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25
>>>
>>> was done before I became a DD, so although I could upload the
>>> fix into git.debian.org, I did not have any access to upload
>>> any binary package
>>>
>>> Has somebody built and uploaded to the archive already? As it
>>> is for current stable branch, can I upload myself or does the
>>> security team take care of the upload?
>>
>> Please provide a debdiff against stable.
>
> I tried to look at this myself and found upstream commit [1], for
> a similar commit.
>
> [1]:
> https://github.com/ganglia/ganglia-web/commit/b9f47b0eb9ae81144e90544b04e85bed15c8c2f4
>
> Comparing the diff 3.1.7 to 3.1.8 source I find this:
>
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
>
diff -urN source-ganglia/ganglia-3.1.7/web/graph.php
ganglia-3.1.8/web/graph.php
> --- source-ganglia/ganglia-3.1.7/web/graph.php 2010-02-17
> 12:05:39.000000000 +0100 +++ ganglia-3.1.8/web/graph.php 2012-08-15
> 19:12:12.000000000 +0200 @@ -1,5 +1,5 @@ <?php -/* $Id: graph.php
> 2183 2010-01-07 16:09:55Z d_pocock $ */ +/* $Id$ */ include_once
> "./eval_config.php"; include_once "./get_context.php"; include_once
> "./functions.php"; @@ -122,7 +122,7 @@
>
> $graph_file = "$graphdir/$graph.php";
>
> -if ( is_readable($graph_file) ) { +if ( is_readable($graph_file)
> and realpath($graphdir) === dirname(realpath($graph_file)) ) {
> include_once($graph_file);
>
> $graph_function = "graph_${graph}";
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
> By passing g= argument, it is possible to traverse the path and
> load another file and execute code from it.
>
> Attached is the debdiff against 3.1.7-1 in squeeze.
>
> Regards, Salvatore
Just following up on this
- - I've added pkg-monitoring-maintainers at lists.alioth.debian.org to the
CC, as there are more people now involved with Ganglia packaging
- - if it is acceptable for the upload, I've also put the current
Maintainer and VCS details in debian/control on the squeeze branch
diff --git a/debian/changelog b/debian/changelog
index a655fa6..0a0cb20 100644
- --- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ganglia (3.1.8-2) UNRELEASED; urgency=low
+
+ * Package now under pkg-monitoring maintainership, update control
+
+ -- Daniel Pocock <daniel at pocock.com.au>
+
ganglia (3.1.8-1) unstable; urgency=low
* Fix for path injection security bug (Closes: #683584)
diff --git a/debian/control b/debian/control
index e308bad..4970f40 100644
- --- a/debian/control
+++ b/debian/control
@@ -1,10 +1,12 @@
Source: ganglia
Section: net
Priority: optional
- -Maintainer: Stuart Teasdale <sdt at debian.org>
+Maintainer: Debian Monitoring Maintainers
<pkg-monitoring-maintainers at lists.alioth.debian.org>
Homepage: http://www.ganglia.info/
Build-Depends: debhelper (>> 5.0.0), librrd2-dev, autoconf,
autotools-dev, automake, libapr1-dev, libexpat1-dev, python-dev,
libconfuse-dev, po-debconf, libxml2-dev, libdbi0-dev, libpcre3-dev
Standards-Version: 3.8.4
+Vcs-Git: git://git.debian.org/pkg-monitoring/ganglia.git
+Vcs-Browser:
http://git.debian.org/?p=pkg-monitoring/ganglia.git;a=summary
Package: ganglia-monitor
Architecture: any
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJQ+nP3AAoJEOm1uwJp1aqDN0kP/3g9SBcE5eHkDByH8db2Lu4E
1jFIHRbOUn/eOmK1YGcxW+t+sBzS4SJYLkXl6l+xnb9PJxRl6NnCNrJc+Vpam3ih
f4z1A4gQyHGu9ahUreH0SixE4j8it/nGuxClcRctEJ802+BVnkHUncLxQZtKbisS
973BDcOU5+nyBcW93BomQGcy/E3Gozyu5KNrgOOvarKxMF8I+qUWuyfyqrv4qxn/
FQHLOKA+D+zEgrQagECD3/7HPeYE/nMCjb2EwdBp19/4UWbXHfb/m2+my3hSrZyn
pn8BHrcTncDs7hYPve98v1WybjVH+/zZxs+BMaxsMQ8ouTdhxXC6snx5j9xf+QVf
iP/fg/Hy0kFWRxmWBEDY+r0BB1mwXmY/noo7CaCBYLXW2KrFpbyC9ORx6qT62uwS
ts4PfDiNnDnjWnbQ2zb4giQNLguq2gVhzCMpju1dDm8hfhvxLzAn98BvJjidFPcz
Gj7ztmEXQo6wzBCa9K2YALtcoNo0xuSc+EtW9E/wfa9BeLppmI4hc/FaUiJmva7A
2DhLbdzAnNUJYDWrpopp6wovz5zO2b05OBf5d9ujun4X911WbyJbPLI4o7IKFOrC
+SWdHlGkBE/7KXoreQcjItpl2DLAydT5ST+40S0T+KIZCDoDedjcSHYgFnmSPCOT
MS1k7t+SPZi1HFWE466z
=vdTp
-----END PGP SIGNATURE-----
More information about the Pkg-monitoring-maintainers
mailing list