tag 473131 etch thanks On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote: > Package: dbconfig-common > Version: 1.8.37 > Severity: serious > Tags: security > > When dbconfig-common detects that a database upgrade is needed, it dumps > a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup > is world-readable, which bypasses all application-specific access > control mechanisms. > > -rw-r--r-- 1 root root 44032 2008-03-27 20:47 > /var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql > > The Etch version of the package has the same bug, but as we discussed > in private, it's currently unclear if any Etch packages are actually > using the upgrade functionality. > > Note that PostgreSQL databases are unaffected by this because of #473013 > (which also applies to the Etch version).
This is now fixed in sid with 1.8.37+nmu1, but I think it also needs a security update for Etch. Otherwise upgrades (especially partial ones) from Etch to Lenny will hit the bug, as there is no guarantee that dbconfig-common gets upgraded before the application unless its dependency is versioned. The command % apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade' shows 16 packages using the upgrade functionality in current unstable. Cc'ing the security team. Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
