Your message dated Sat, 25 May 2013 17:53:10 +0300 (EEST) with message-id <[email protected]> and subject line Closing old bugs filed against tomcat5.5 (or related packages) has caused the Debian Bug report #434762, regarding tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 434762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434762 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tomcat5.5 Severity: grave Tags: security Justification: user security hole /var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions 644. I consider this a security problem, because it's all too easy to add the admin or manager roles while forgetting to change the file permissions to something more restrictive, thus revealing the authentication data used to manage the Tomcat installation to all local users. I suggest the file be chmodded to 600 during installation. -- System Information: Debian Release: etch Architecture: i386 (i686)
--- End Message ---
--- Begin Message ---Version: 5.5.26-5 Hello, Some (long) time ago you filed this bug against tomcat5.5 or a related package. In the meantime the tomcat5.5 package has been renamed and this bug was "lost". Since the bug is already quite old now it is being closed. If the issue you encountered is still present in recent tomcat packages (as released with Debian 7.0 wheezy for example) the maintainer(s) would very much appreciate a fresh report using: reportbug <package> You should also mention the number of this bug if you think it contains valuable information. Please note that further information sent to this bug is likely to remain unread, because the bug is currently not assigned to any existing package. Thank you for for trying to improve Debian by reporting bugs. Kind regards, Andrei (with no relation to tomcat maintenance)
--- End Message ---
