Uploaded dwww 1.4.1-1 (source i386) to master

To: debian-devel-changes@lists.debian.org
Subject: Uploaded dwww 1.4.1-1 (source i386) to master
From: (Jim Pick) <jim@jimpick.com>
Date: Tue, 8 Apr 1997 12:54:25 -0700
Message-id: <[🔎] 199704081954.MAA10346@fleming.jimpick.com>

Here's release 1.4.1 of dwww.  

This release fixes a few minor bugs, and one major
SECURITY BUG.  I strongly recommend upgrading to this
version from all previous versions.

The CGI script, in /usr/lib/dwww/dwww.cgi, would accept 
backquotes and '$' characters, then pass them on to bash.  
This enables people to execute commands as the CGI user.  
This is particularily dangerous if someone configures their 
web server to run CGI programs as root. dwww.cgi was 
modified to convert all backquotes and dollar signs into 
underscores.

There will probably be a subsequent release with some
improved documentation.

The next release after will focus on getting some of the 
package information from dpkg into the system, and 
improvements to the searching.

Cheers,

 - Jim

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.5
Date: Tue, 8 Apr 1997 12:00:21 -0700
Source: dwww
Binary: dwww
Architecture: source i386
Version: 1.4.1-1
Distribution: frozen unstable
Urgency: high
Maintainer: Jim Pick <jim@jimpick.com>
Description: 
 dwww       - Read all on-line documentation via WWW
Changes: 
 dwww (1.4.1-1) frozen unstable; urgency=high
 .
   * Fixed major security flaw: dwww.cgi would accept backquotes
     and '$' characters, then pass them on to bash.  This enables
     people to execute commands as the CGI user.  Particularily
     dangerous if someone configures their web server to run
     CGI programs as root. dwww.cgi was modified to convert all
     backquotes and dollar signs into underscores.
   * dwww.cgi: don't convert '+' characters into spaces - fixes
     bug #8563 (Thanks Lars Wirzenius and Joost Witteveen)
   * dwwwconfig: place quotes around DWWW_SERVERTYPE in
     /etc/dwww/dwww.conf to cope with server names with space
     such as CERN httpd - fixes bug #8525
   * /etc/cron.daily/dwww: added line to cd to /var/spool/dwww
     to prevent error message that someone was having (not me)
     - fixed bug #8591
Files: 
 5ad16f1db79b1db3b58417ef4016b00d 597 doc optional dwww_1.4.1-1.dsc
 d530f73c1f4f2121d98cbe3ca6502acc 53443 doc optional dwww_1.4.1.orig.tar.gz
 00bfb615783e63927a88cf27c8b228de 20 doc optional dwww_1.4.1-1.diff.gz
 c6024bc4cb877706c6fbf245ca581a68 46688 doc optional dwww_1.4.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBM0qbduQz770qyIfJAQHy3AP/RnKuqQri5FhxtCV2qhDBgFZCmRZrEVGD
HL6AY6N3967rENvXpprRfkVrsuj/5/jjX4lOQdgp5C7F7zPXHYUi5YXbNSwlrhQB
qyRYwzkx5bwi3MMNvIPmUMGpiYh652wIipjgl3URYzQRB6dXsxIc/hlh4snPdaHZ
5jtfTx9lxZE=
=f7N2
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: debmake 3.2.7 uploaded to master.debian.org
Next by Date: Uploaded mutt 0.69-1 (m68k) to master
Previous by thread: debmake 3.2.7 uploaded to master.debian.org
Next by thread: Uploaded mutt 0.69-1 (m68k) to master
Index(es):
- Date
- Thread