Your message dated Sun, 04 Mar 2012 11:03:30 +0000
with message-id <[email protected]>
and subject line Bug#662069: Removed package(s) from unstable
has caused the Debian Bug report #616052,
regarding opendchub: Daemon resets config file to defaults, allowing remote
admin with a default password by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
616052: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616052
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: opendchub
Version: 0.8.2-2
Severity: grave
Tags: security
Justification: user security hole
opendchub will overwrite the /etc/opendchub/config file every time it is
restarted. The defaults include a default administrative password (which is
always the same), and also (perhaps more critically) enables remote
administration by default. No indication is given that this has happened, and
it might appear to a user that their changed password or server settings have
been taken into effect.
To test this, it is very simple.
modify /etc/opendchub/config
$sudo nano /etc/opendchub/config
modify the admin password, or some other option
restart the daemon
$sudo invoke-rc.d opendchub restart
which outputs
Stopping DC++ server: opendchub.
Starting DC++ server: opendchub.
Then, look at the configuration file again:
$sudo nano /etc/opendchub/config
all of your customizations to the file are overwritten.
I might report this as a normal bug, but it seems to be a security
vulnerability, as essentially the hub is controllable by anyone in the same
network as the machine, even if the user has specified otherwise, and they are
given no indication that their settings have been ignored.
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages opendchub depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libperl5.10 5.10.1-17 shared Perl library
opendchub recommends no packages.
opendchub suggests no packages.
-- Configuration Files:
/etc/opendchub/config [Errno 13] Permission denied: u'/etc/opendchub/config'
/etc/opendchub/motd [Errno 13] Permission denied: u'/etc/opendchub/motd'
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 0.8.2-2+rm
Dear submitter,
as the package opendchub has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/662069
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)
--- End Message ---
