[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#516829: marked as done (Http double slash request arbitrary file access vulnerability)



Your message dated Wed, 25 Mar 2009 13:53:37 +0000
with message-id <E1LmTY1-00071A-Nr@ries.debian.org>
and subject line Bug#516829: fixed in mldonkey 2.9.5-2+lenny1
has caused the Debian Bug report #516829,
regarding Http double slash request arbitrary file access vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
516829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: mldonkey-server
Version: 2.9.5-2
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to
access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmjETEACgkQNxpp46476arOowCfdUi6Nmhi0vagcdOb06ya/RRA
RWsAn1THtf88DUbVAL6dunEq4MeLJjWn
=elDe
-----END PGP SIGNATURE-----



--- End Message ---
--- Begin Message ---
Source: mldonkey
Source-Version: 2.9.5-2+lenny1

We believe that the bug you reported is fixed in the latest version of
mldonkey, which is due to be installed in the Debian FTP archive:

mldonkey-gui_2.9.5-2+lenny1_amd64.deb
  to pool/main/m/mldonkey/mldonkey-gui_2.9.5-2+lenny1_amd64.deb
mldonkey-server_2.9.5-2+lenny1_amd64.deb
  to pool/main/m/mldonkey/mldonkey-server_2.9.5-2+lenny1_amd64.deb
mldonkey_2.9.5-2+lenny1.diff.gz
  to pool/main/m/mldonkey/mldonkey_2.9.5-2+lenny1.diff.gz
mldonkey_2.9.5-2+lenny1.dsc
  to pool/main/m/mldonkey/mldonkey_2.9.5-2+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated mldonkey package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Mar 2009 21:26:26 +0100
Source: mldonkey
Binary: mldonkey-server mldonkey-gui
Architecture: source amd64
Version: 2.9.5-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 mldonkey-gui - Graphical frontend for mldonkey based on GTK+
 mldonkey-server - Door to the 'donkey' network
Closes: 516829
Changes: 
 mldonkey (2.9.5-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Add url.dpatch: Fix double slash vulnerability, closes: #516829.
Checksums-Sha1: 
 36c66cbf92f04012637090bb9a2b63bf12656cba 1894 mldonkey_2.9.5-2+lenny1.dsc
 df1edd0eb5965ba49836f097be53454a5193b3a7 3346730 mldonkey_2.9.5.orig.tar.gz
 e7866b498fa2fbc8d6bb6209cd488eda4c9aaff1 141220 mldonkey_2.9.5-2+lenny1.diff.gz
 15c618f3c1efc9bade920c207e1f6da20ecc0bc8 2693524 mldonkey-server_2.9.5-2+lenny1_amd64.deb
 f690fb20dd8d34149805ca4a9c9bd40bccb36ecd 3945406 mldonkey-gui_2.9.5-2+lenny1_amd64.deb
Checksums-Sha256: 
 e35bc7d10b6efe4742b64d70e6eff95bdec52ec5f3dab8407da6c67ae4e9d5d3 1894 mldonkey_2.9.5-2+lenny1.dsc
 f091d2f40e800ecf32651aed984d8fabf9b550ae0e5dc451e66743426bdf8aff 3346730 mldonkey_2.9.5.orig.tar.gz
 aa77f5843bc70ab34dfc3a1425f069d14809f441465b43bce9db50b77b82c586 141220 mldonkey_2.9.5-2+lenny1.diff.gz
 f69f454e45318cb4037fdad953c92007ddcb3e94ecda4464bf1d52a98e1b659a 2693524 mldonkey-server_2.9.5-2+lenny1_amd64.deb
 81ca175b3adaca97c1a778796d241846dc8e7ad269508c6b663e34d467872180 3945406 mldonkey-gui_2.9.5-2+lenny1_amd64.deb
Files: 
 80d8a01209691f1ab695073a77bf671a 1894 net optional mldonkey_2.9.5-2+lenny1.dsc
 280207370693e16ae51d4a3b28d6424e 3346730 net optional mldonkey_2.9.5.orig.tar.gz
 515bfab6892fc58b4a46fc0b26a1fd72 141220 net optional mldonkey_2.9.5-2+lenny1.diff.gz
 eee55c6718a61403aedfeb2ff4fdc285 2693524 net optional mldonkey-server_2.9.5-2+lenny1_amd64.deb
 ed6496fb59f045cf00191d627ebe35fd 3945406 net optional mldonkey-gui_2.9.5-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJuXGGAAoJEL97/wQC1SS+U1sH/3MuE8l5TCIesKaa5PJaqsX1
QC32oHo7CAeNDXoyopTQpLp1LhhMY5qLK4EexzE2pa8bo01EL6un9p+6jCuTU+p8
eBX6SOmxFIRdn1ET0SeKCglaBgoloC28GgJ+cRbsQMniBUiLOG1M3P+J08Tf+Etn
ijo4+pXuLfz+BfF3Z1IRqOvRXA2zz9UMQcffyyxbcNDHkkLo4KuwSEUGj28Mi23o
S0VI0gq3Xv+QPKeaZ3sjV2pHrS44TCrzRaAFCIGK218X3bsiQu/QBPTIrNG0xc9l
ftXouATwUWz25LBAWhiDLxg1qdjjcsCidGRZZbj+8Yr82Uixp/1sQg3qpQXqy00=
=f/+U
-----END PGP SIGNATURE-----



--- End Message ---

Reply to: