The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dwww 1.4.1-1 fixes security bug

[I cross-posted to the wrong address, so I'm resending this
 to security@debian.org]


I just uploaded release 1.4.1 of dwww.  It is now in Incoming
on master.

This release fixes a few minor bugs, and one major
SECURITY BUG.  I strongly recommend upgrading to this
version from all previous versions.

The CGI script, in /usr/lib/dwww/dwww.cgi, would accept 
backquotes and '$' characters, then pass them on to bash.  
This enables people to execute commands as the CGI user.  
This is particularily dangerous if someone configures their 
web server to run CGI programs as root. dwww.cgi was 
modified to convert all backquotes and dollar signs into 
underscores.

Sorry I didn't catch this earlier.

Cheers,

 - Jim

Attachment: pgp1FmBvK6Mg3.pgp
Description: PGP signature