Back to publicfile-installer PTS page

Accepted publicfile-installer 0.11-1 (source all) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted publicfile-installer 0.11-1 (source all) into unstable
From: Joost van Baal-Ilić <joostvb@debian.org>
Date: Sun, 06 Sep 2015 05:33:47 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1ZYSaJ-0005ds-HP@franck.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 06 Sep 2015 07:23:33 +0200
Source: publicfile-installer
Binary: publicfile-installer
Architecture: source all
Version: 0.11-1
Distribution: unstable
Urgency: low
Maintainer: Joost van Baal-Ilić <joostvb@debian.org>
Changed-By: Joost van Baal-Ilić <joostvb@debian.org>
Description:
 publicfile-installer - installer package for the publicfile http and ftp server
Closes: 795062
Changes:
 publicfile-installer (0.11-1) unstable; urgency=low
 .
   * New upstream.  No longer ships install-publicfile, no longer uses /tmp.
     This fixes a serious security issue: a local privilage escalation
     security hole due to insecure use of /tmp. "This [...] package downloads
     the source code for DJB's publicfile, builds it, and then puts the
     output in a predictable location in a world-writable directory, using an
     existing directory of that name if it already exists, then (either
     automatically or by telling the admin to run another script) installs
     whatever happens to be in that directory.  This can be exploited by
     malicious local users to get arbitrary installscripts executed as root."
     Thanks Justin B Rye.  Closes: #795062.
     + debian/templates: adjusted.
     + debian/control: Depends: add sudo.
   * debian/changelog: fix spelling error.
Checksums-Sha1:
 420a02e48c1febf15a285307b315c6da01ed87b4 1580 publicfile-installer_0.11-1.dsc
 0acd86aeee87338c9765a88cf953769c475d7cab 18873 publicfile-installer_0.11.orig.tar.gz
 adb698e9182ebb4baa2cca2a300a546d52287b3a 4928 publicfile-installer_0.11-1.debian.tar.xz
 b8c59952328536d8ecd0424fcb2520549afd05d6 11676 publicfile-installer_0.11-1_all.deb
Checksums-Sha256:
 ec50bac4902c8730bd6b95d59e5e87d0b735968dd3eae54abf72f0ec8baf4c2f 1580 publicfile-installer_0.11-1.dsc
 b7b4897473006da7fbef6ace95f817e6073f85e26a331d236774fd11b80382bd 18873 publicfile-installer_0.11.orig.tar.gz
 7611358999414f05f58c1c7a52726f3ccf9ed488c0573c71d2360149982ee572 4928 publicfile-installer_0.11-1.debian.tar.xz
 51ee9d383d9f14eab25b35ca3a0c0c58218935a295f481c5cebc0af825f58c51 11676 publicfile-installer_0.11-1_all.deb
Files:
 2d21fe4255426e9e3026b82f5b3dc1b3 1580 contrib/net extra publicfile-installer_0.11-1.dsc
 51703972ffd065a82f3ef774c262d99a 18873 contrib/net extra publicfile-installer_0.11.orig.tar.gz
 640dd63aa49c86f0a24c3363d95f041d 4928 contrib/net extra publicfile-installer_0.11-1.debian.tar.xz
 cd06a3f61cb056f3406b24541873ca08 11676 contrib/net extra publicfile-installer_0.11-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJV6848AAoJEDNRenKl5rDIps0IAIHMJrwT3NcbNdfeEQp+dk4F
1jqSdBXKN+VytV6s4TZHBENuyGRZQVb0p094t5EKRLwYI0fOwhKx5VydnRQebE60
cFkPOiPet//fYhTMLpw/FCKZprQmZioIR17USwx9aHoXy+ufgaa2Mtz0X+Y3yRfr
SNJTd9EiCPnz4haoRxa3PYkucDTFVkeoXkfStp4TaMcJ6qushJemLbV++KF4mSCI
yCFCnzOSncDcSrEyPutQNafaOLMERH3yGjqJN/e+QDqPXR5eSMYT9LyM1BakHszz
iiLQeZe/w2ybKKuyEE3If8foXnSUUghwwLGTaPw40Bi8P9DuF3yBXATRuHlbda8=
=dVQv
-----END PGP SIGNATURE-----