tag 199985 confirmed thanks A Seg, 2003-07-07 ās 18:59, Noah L. Meyerhans escreveu: > On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote: > > i learned from the debian-security-announce mailinglist that mantis (a > > php bugtracking system) has insecure permissions on the configfile that > > stores the database password. so i did an 'apt-get update ;apt-get > > upgrade' and was quite surprised, as this upgrade didn't just fix > > permissions on this file, but overwrote it without asking. it took me a > > while to find out what happened, and even longer, to restore the > > settings i had in this file, because the update didn't even bother > > backing up the original configuration. > > Yuck. I've talked to Matt Zimmerman about this (he prepared the > security update). This problem is not introduced by the security > update, but is instead part of package as prepared by the maintainer. > They apparently don't list the configuration file as such, so dpkg will > happily over write it. That's definitely a bug and must be fixed by the > Debian package maintainer.
Hello. I'm currently maintaining mantis and I confirm this behaviour, although it's an old behaviour and it was not introduced in my latest security-stable package. In my stable fix I just changed it to chown the right files and I haven't changed anything else. Same applies to unstable version. Please bear with me until I have time to fix this and other issues at the same time - for example, it shouldn't break if it's not possible to drop its table from mysql, it would be better to just warn. As the package is now, if you stop mysql, it would be near to impossible to try to remove/purge it again, reinstall or even upgrade without editing local postrm file. Anyway, thanks for noticing this problem. I'll get back soon with updated information. PS: I'm not subscribed to [EMAIL PROTECTED] > noah -- <br/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
