Hi Michael Thanks a lot for your report!
On Fri, Apr 10, 2009 at 10:34:17AM -0400, Michael S. Gilbert wrote: > package: pptp-linux > severity: important > tags: security > > Hello, > > Fedora issued the following update for pptp-linux, which they have > tagged as security-related: > > This update corrects the behaviour of pptpsetup when its --delete > option is used, retaining the permissions of /etc/ppp/chap-secrets > rather than creating a new file that is likely to be world-readable. > If you have previously used the --delete option of pptpsetup, you > should reset the permissions of /etc/ppp/chap- secrets to their > default value of 0600 unless you have good reasons to use another > value: # chmod 600 /etc/ppp/chap-secrets > > Is this problem present in debian, and should it be of concern to the > security team? From my perspective, the problem seems rather > insignificant, but I will defer to your opinion as the maintainer. It is a problem on Debian. I have successfully reproduced the problem. The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets. I have uploaded a fixed package to unstable now. I agree that it it not a critical bug but I think it is worth a DSA for this, so I'm cc:ing the security team about this. The corrected package is pptp-linux_1.7.2-2 and this is the only fix in that package compared to stable. Best regards, // Ola > See the Fedora security announcement for more details [1]. > > Thanks for your assistance on this issue. > > [1] http://lwn.net/Articles/328042/ > > > -- --------------------- Ola Lundqvist --------------------------- / [email protected] Annebergsslingan 37 \ | [email protected] 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
