Bug#473131: dbconfig-common: database backups are world-readable

2008-04-08 Thread sean finney
hiya, On Wednesday 09 April 2008 01:11:26 am Matt Brown wrote: > On Tue, Apr 8, 2008 at 10:53 PM, Niko Tyni <[EMAIL PROTECTED]> wrote: > > phpwiki > > phpwiki is not affected by this as the package installs the database > with permissions 664 root:www-data however, i suspect that the data used

Bug#473131: dbconfig-common: database backups are world-readable

2008-04-08 Thread Matt Brown
On Tue, Apr 8, 2008 at 10:53 PM, Niko Tyni <[EMAIL PROTECTED]> wrote: > phpwiki phpwiki is not affected by this as the package installs the database with permissions 664 root:www-data There is nothing sensitive in the database, just wiki pages that are available via the http server. The admin p

Bug#473131: dbconfig-common: database backups are world-readable

2008-04-08 Thread Niko Tyni
On Tue, Apr 08, 2008 at 10:07:37PM +0200, Florian Weimer wrote: > * Niko Tyni: > > > This is now fixed in sid with 1.8.37+nmu1, but I think it also needs > > a security update for Etch. Otherwise upgrades (especially partial > > ones) from Etch to Lenny will hit the bug, as there is no guarantee

Bug#473131: dbconfig-common: database backups are world-readable

2008-04-08 Thread Florian Weimer
* Niko Tyni: > This is now fixed in sid with 1.8.37+nmu1, but I think it also needs > a security update for Etch. Otherwise upgrades (especially partial > ones) from Etch to Lenny will hit the bug, as there is no guarantee > that dbconfig-common gets upgraded before the application unless its > d

Bug#473131: dbconfig-common: database backups are world-readable

2008-04-08 Thread Niko Tyni
tag 473131 etch thanks On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote: > Package: dbconfig-common > Version: 1.8.37 > Severity: serious > Tags: security > > When dbconfig-common detects that a database upgrade is needed, it dumps > a backup in /var/cache/dbconfig-common/backups. Unfort

Processed: Re: Bug#473131: dbconfig-common: database backups are world-readable

2008-04-08 Thread Debian Bug Tracking System
Processing commands for [EMAIL PROTECTED]: > tag 473131 etch Bug#473131: dbconfig-common: database backups are world-readable Tags were: patch security Tags added: etch > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system adminis

Bug#473131: dbconfig-common: database backups are world-readable

2008-03-29 Thread Niko Tyni
On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote: > The Etch version of the package has the same bug, but as we discussed > in private, it's currently unclear if any Etch packages are actually > using the upgrade functionality. This is actually trivial to find out: etch% apt-file sear

Bug#473131: dbconfig-common: database backups are world-readable

2008-03-28 Thread Niko Tyni
Package: dbconfig-common Version: 1.8.37 Severity: serious Tags: security When dbconfig-common detects that a database upgrade is needed, it dumps a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup is world-readable, which bypasses all application-specific access control mec