Bug#425010: marked as done (mantis: Config file with CLEAR PASSWORD is world-wide readable!!)

Fri, 31 Jul 2009 05:48:05 -0700 

Your message dated Fri, 31 Jul 2009 12:17:12 +0000
with message-id <[email protected]>
and subject line Bug#425010: fixed in mantis 1.1.8+dfsg-2
has caused the Debian Bug report #425010,
regarding mantis: Config file with CLEAR PASSWORD is world-wide readable!!
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
425010: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=425010
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: mantis
Version: 1.0.6+dfsg-4.1
Severity: grave

After an upgrade of Mantis, the config file /etc/mantis/config_db.php
is world-wide readable and contains the clear password of my SQL
database!!!

Please urgently fix this as it creates a very big security hole.

The previous versions of Mantis was smarter:

  -rw-r-----  1 root www-data 1887 2007-05-18 11:27 config.php
         ^^^         ^^^^^^^^

I've 'chgrp www-data' and 'chmod 640' the new file
/etc/mantis/config_db.php and it's working.

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.20-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mantis depends on:
ii  apache                      1.3.34-4.1   versatile, high-performance HTTP s
ii  apache2                     2.2.3-4      Next generation, scalable, extenda
ii  apache2-mpm-prefork [apache 2.2.3-4+b1   Traditional model for Apache HTTPD
ii  dbconfig-common             1.8.33       common framework for packaging dat
ii  debconf                     1.5.13       Debian configuration management sy
ii  libapache2-mod-php5         5.2.2-1+b1   server-side, HTML-embedded scripti
ii  libphp-adodb                4.94-1       The 'adodb' database abstraction l
ii  libphp-phpmailer            1.73-3       full featured email transfer class
ii  php4-cli                    6:4.4.6-2+b1 command-line interpreter for the p
ii  php4-mysql                  6:4.4.6-2+b1 MySQL module for php4
ii  php5-cli                    5.2.2-1+b1   command-line interpreter for the p
ii  php5-mysql                  5.2.2-1+b1   MySQL module for php5

mantis recommends no packages.

-- debconf information:
  mantis/dbconfig-reinstall: false
* mantis/dbconfig-install: true
* mantis/remote/newhost: localhost
  mantis/title: Mantis
* mantis/url: http://localhost/mantis/
  mantis/upgrade-backup: true
  mantis/internal/skip-preseed: false
  mantis/install-error: abort
  mantis/internal/reconfiguring: false
  mantis/dbconfig-remove:
* mantis/bounce: [email protected]
* mantis/db_autoupdate: true
* mantis/ldap: false
  mantis/ldap_server: localhost
  mantis/version:
  mantis/from: man...@localhost
  mantis/show_version: true
  mantis/root_mysql: root
  mantis/passwords-do-not-match:
  mantis/signup: true
* mantis/admin: [email protected]
* mantis/mysql/admin-user: root
* mantis/remote/port:
* mantis/username: mantis
  mantis/purge: false
* mantis/webmaster: [email protected]
* mantis/dbconfig-upgrade: false
  mantis/remove-error: abort
* mantis/remote/host: localhost
* mantis/purge_db: true
* mantis/db/app-user: mantis
* mantis/mysql/method: tcp/ip
  mantis/dn: dn=
  mantis/mysql_port: 3306
* mantis/webserver: apache
* mantis/db/dbname: bugtracker
* mantis/database-type: mysql
  mantis/upgrade-error: abort
* mantis/app_configure: true
  mantis/language: english
* mantis/mysql_server: localhost
* mantis/database: bugtracker
  mantis/organisation:
-- 
 ,''`.
: :' :      Cyril Bouthors
`. `'         Debian.org
  `-

Attachment: pgp7Y7dp2RGLZ.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: mantis
Source-Version: 1.1.8+dfsg-2

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_1.1.8+dfsg-2.diff.gz
  to pool/main/m/mantis/mantis_1.1.8+dfsg-2.diff.gz
mantis_1.1.8+dfsg-2.dsc
  to pool/main/m/mantis/mantis_1.1.8+dfsg-2.dsc
mantis_1.1.8+dfsg-2_all.deb
  to pool/main/m/mantis/mantis_1.1.8+dfsg-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Schoenfeld <[email protected]> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 31 Jul 2009 13:39:51 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.1.8+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Patrick Schoenfeld <[email protected]>
Changed-By: Patrick Schoenfeld <[email protected]>
Description: 
 mantis     - web-based bug tracking system
Closes: 425010 525369 534832 539387
Changes: 
 mantis (1.1.8+dfsg-2) unstable; urgency=high
 .
   [ Olivier Berger ]
   * Fix template and french translation regarding 'administrator' (Closes:
     534832)
 .
   [ Patrick Schoenfeld ]
   * Urgency high because this fixes a security bug
   * Use ucf with --debconf-ok switch in postrm, too, in order to finally
     get rid of the odd debconf warnings. Thanks Andreas Moog. (Closes:
     #525369)
   * Fix default permissions for config_db.php and add a conditional to
     update old installations.
     (Closes: #425010)
   * Remove dpkg-statoverrides on package purge (Closes: #539387)
Checksums-Sha1: 
 ef59bfd6f9a4ff148bbdbcb8608455cda20302cc 1184 mantis_1.1.8+dfsg-2.dsc
 c8483e95576c203c83a2bd1e21ed54121f590e51 45806 mantis_1.1.8+dfsg-2.diff.gz
 49321df8e008dea4674097409ad4122b3468422b 1783816 mantis_1.1.8+dfsg-2_all.deb
Checksums-Sha256: 
 8cdc1dffd570b76c5b975d4e66881e2666a3c7872f74dc54c9094666828b6347 1184 
mantis_1.1.8+dfsg-2.dsc
 b979411eaee3dc76ef1d1854a58daaec0982f684883fc4775337e50cf325dfdb 45806 
mantis_1.1.8+dfsg-2.diff.gz
 3d5efafae83453805f6dcf687e95b3d71dfe9d76eb12cc8030bf383e86c32edf 1783816 
mantis_1.1.8+dfsg-2_all.deb
Files: 
 0b291928eca402e4e424d6690cc4898b 1184 web optional mantis_1.1.8+dfsg-2.dsc
 37540184c1df627998176ded41013370 45806 web optional mantis_1.1.8+dfsg-2.diff.gz
 9b10cfce80181c1a548f4da7ecfd116e 1783816 web optional 
mantis_1.1.8+dfsg-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpy3i0ACgkQbdB4RPTVesrc4ACfVzX3/57CEYMCxtIwY0KBIGih
ti0AnRpO5/9FxG68nFaELc9PmCf8xyBq
=F+cG
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to