Your message dated Thu, 10 Jun 2010 15:50:49 +0000
with message-id <e1omk1p-0005wh...@ries.debian.org>
and subject line Bug#584469: fixed in prewikka 1.0.0-1.1
has caused the Debian Bug report #584469,
regarding prewikka: Permission security vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
584469: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: prewikka
Version: 0.9.14-2
Severity: critical
Justification: causes serious data loss
*** Please type your report below this line ***
The permissions of the prewikka.conf file are world readable and
contain the SQL-database password used by prewikka. This update makes
it readable just by the apache group.
References:
https://dev.prelude-technologies.com/projects/prewikka/repository/revisions/17e38c310410be1b7811152172cda4438936063d
https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00771.html
https://bugs.gentoo.org/show_bug.cgi?id=270056
This has CVE-2010-2058 assigned.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: prewikka
Source-Version: 1.0.0-1.1
We believe that the bug you reported is fixed in the latest version of
prewikka, which is due to be installed in the Debian FTP archive:
prewikka_1.0.0-1.1.diff.gz
to main/p/prewikka/prewikka_1.0.0-1.1.diff.gz
prewikka_1.0.0-1.1.dsc
to main/p/prewikka/prewikka_1.0.0-1.1.dsc
prewikka_1.0.0-1.1_all.deb
to main/p/prewikka/prewikka_1.0.0-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 584...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated prewikka package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Jun 2010 15:50:02 +0200
Source: prewikka
Binary: prewikka
Architecture: source all
Version: 1.0.0-1.1
Distribution: unstable
Urgency: high
Maintainer: Pierre Chifflier <pol...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
prewikka - Security Information Management System [ Web Interface ]
Closes: 584469
Changes:
prewikka (1.0.0-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Install prewikka.conf file with mode 0640 to prevent disclosure
of db credentials (CVE-2010-2058; Closes: #584469).
NOTE to maintainer: I've seen there is a chmod 640 at the end
of the postinst script but this is on the one hand prone to a
race condition and on the other hand not always effective.
Checksums-Sha1:
5b8a48508f2ef161db79634640baa71473dd6333 1040 prewikka_1.0.0-1.1.dsc
1857b8fd3a1ae8d2fd8746acf775c4a050dc9daf 10860 prewikka_1.0.0-1.1.diff.gz
7c59fe5eb7fc83a3b7812b152e764681d29fdefe 339668 prewikka_1.0.0-1.1_all.deb
Checksums-Sha256:
c44edc5f2e23f64e4eddd4ec0a3e499fb7b9fdf36cd46403274dd276a72e81fd 1040
prewikka_1.0.0-1.1.dsc
b5d49e9461dd1ee70447a04a3182ecb0fb90916069eba3ce7f1b12dda5f7c46d 10860
prewikka_1.0.0-1.1.diff.gz
7b17c3f8ed01843e6d6005f505d6f0bf3b3d4fe1670147584279e48196382994 339668
prewikka_1.0.0-1.1_all.deb
Files:
bab136b84f8bacfa30a5e6f01cbb8354 1040 web extra prewikka_1.0.0-1.1.dsc
332f1209d678483b41a0e55a0b88fc13 10860 web extra prewikka_1.0.0-1.1.diff.gz
6e0e0ccd0c89bb1156673fe0577f0160 339668 web extra prewikka_1.0.0-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwQ8agACgkQHYflSXNkfP98PQCeM12yscKs+7n/kh+9sKovBACF
t/IAoJU4jR84tdJ8fHcWDBCThEQkncTo
=Z0Ok
-----END PGP SIGNATURE-----
--- End Message ---
