Format: 1.8
Date: Sun, 06 Sep 2015 07:23:33 +0200
Source: publicfile-installer
Binary: publicfile-installer
Architecture: all
Version: 0.11-1
Distribution: xenial-proposed
Urgency: low
Maintainer: Launchpad Build Daemon <buildd@lgw01-55.buildd>
Changed-By: Joost van Baal-Ilić <joostvb@debian.org>
Description:
 publicfile-installer - installer package for the publicfile http and ftp server
Closes: 795062
Changes:
 publicfile-installer (0.11-1) unstable; urgency=low
 .
   * New upstream.  No longer ships install-publicfile, no longer uses /tmp.
     This fixes a serious security issue: a local privilage escalation
     security hole due to insecure use of /tmp. "This [...] package downloads
     the source code for DJB's publicfile, builds it, and then puts the
     output in a predictable location in a world-writable directory, using an
     existing directory of that name if it already exists, then (either
     automatically or by telling the admin to run another script) installs
     whatever happens to be in that directory.  This can be exploited by
     malicious local users to get arbitrary installscripts executed as root."
     Thanks Justin B Rye.  Closes: #795062.
     + debian/templates: adjusted.
     + debian/control: Depends: add sudo.
   * debian/changelog: fix spelling error.
Checksums-Sha1:
 a7b95e22c33d83042b576c92491ff2af1c8e3ea4 9660 publicfile-installer_0.11-1_all.deb
Checksums-Sha256:
 20c4a68c78aacd493a04369e1b83415bd05e71cab00b0f4926b2e64b44cd8c22 9660 publicfile-installer_0.11-1_all.deb
Files:
 049119a905d6fede51c9b19fcd270e62 9660 contrib/net extra publicfile-installer_0.11-1_all.deb