publicfile-installer (0.11-1) unstable; urgency=low
* New upstream. No longer ships install-publicfile, no longer uses /tmp.
This fixes a serious security issue: a local privilage escalation
security hole due to insecure use of /tmp. "This [...] package downloads
the source code for DJB's publicfile, builds it, and then puts the
output in a predictable location in a world-writable directory, using an
existing directory of that name if it already exists, then (either
automatically or by telling the admin to run another script) installs
whatever happens to be in that directory. This can be exploited by
malicious local users to get arbitrary installscripts executed as root."
Thanks Justin B Rye. Closes: #795062.
+ debian/templates: adjusted.
+ debian/control: Depends: add sudo.
* debian/changelog: fix spelling error.
-- Joost van Baal-Ilić <email address hidden> Sun, 06 Sep 2015 07:23:33 +0200
installer package for the publicfile http and ftp server