Found a curious bug in the #debian #wordpress package last night. There is a reasonably old security patch for CVE-2017-14990 where the activation key is stored in plaintext for multisite users (normal users it's hashed).
Anyway it's a broken patch because it doesn't decide the user id. Easy to fix but I never used it before.
I just found out someone still maintains one of the first free software programs I wrote so many years ago. Checked the changelog and it was 25 July 1995! A 24 -year old program still in use.
There has been a bit of a clean up and all my comment out debug code removed (good!) but its basically the same.
Fortunately the Linux kernel driver I wrote has long gone 😱
#wordpress 5.2.4 is now available! This security release fixes 6 security issues.
WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2
Every time I have to interact with sourceforge it reminds me how backward the site is. I have had so many 503 errors, comments disappearing from bug reports or some truly bizzare happenings in text boxes where the words repeat.
I'm so glad I moved my stuff off it, originally due to the previous owners dodgy behavior but now for all this.
An update! They looked at the net-snmp bug again and there was a fix already, just not in the current release.
Amazing how two simple lines can ruin your day.
WordPress version 5.2.3 is now out which is a security release. It fixes a bunch of XSS problems and some sanitization problems. Debian packages soon.
Let's see if stock snmpd has this bug too eh?
Done some work on #psmisc tonight, mainly some merge requests and bug fixes.
Matching NFS still can cause problems (they changed the way NFS "looks" in the proc filesystem) but I merged in some changes so it hangs less, I hope.
peekd will also work with ARM64 CPUs after someone gave me a patch for that.
I was looking at the net-snmp code trying to work out the differences between the PID file generating code for snmpd and snmptrapd.
🔹 snmpd uses open() with permissions of 0600
🔹 snmptrapd uses fopen() with permissions of 0644
Given there on my system there is only one other PID file with 0600 I patched snmpd to use 0644.
That should mean you're ok for most current WordPress security bugs except for CVE-2019-8943 which is a path traversal bug. I think it's fixed for WordPress proper but many modules are still vulnerable.
I've been triaging a bunch of net-snmp bugs on the #debian bug tracker tonight. There are a lot of old ones for versions of net-snmp long gone.
Strangely there are old bugs that are still there, like why are the permissions for snmp and snmptrapd pid files different?
Clearing out the old ones means I can concentrate on what is left.
The Debian specific patches are now applying cleanly so the next steps are
* to make sure it compiles
* Fix it when it surely won't
* Look at the Debian bugs and fix/close those
It's a pretty big codebase that takes forever to compile so it won't be a fast process.
Free Software programmer, network engineer and Debian developer.
100% tomato verified. 🍅✔
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!