Package: radicale
Version: 2.1.11-6
Severity: normal
Dear Maintainer,
* What led up to the situation?
I have a stretch-based radicale installation running under uwsgi with
the attached uwsgi configuration. Under stretch, everything is
operating correctly and radicale authenticates against the LDAP
service specified in the configuration.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I upgraded from stretch to buster while having apt-listchanges and
apt-listbugs installed. I modified the uwsgi configuration to use
python3 instead of python27 (since radicale is now python3 based) and
reloaded the uwsgi-emperor.
* What was the outcome of this action?
The upgrade passed without any notice from apt-listchanges or
apt-listbugs regarding radicale.
radicale was operating, but it was not performing any authentication;
every password was accepted for every user name, opening the server up
for denial of service by unauthorized users (by spamming data on it)
and possibly opening up access to existing data (if the configuration
fits).
* What outcome did you expect instead?
I expect either:
(1) radicale to fail to start and/or operate at all, due to the
obviously invalid configuration. This is the case when I run radicale
manually from the command line (it already chokes at the `well-known`
section, not to mention that there’s no LDAP support anymore).
(2) a prominent warning via apt-listchanges that the configuration
format has changed drastically, that LDAP is not supported anymore, and
that attempting to run radicale with an invalid configuration may lead
to it running without any authentication at all.
At this stage in the release cycle, (2) may be the way to go (and is fully
sufficient In My Opinion).
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages radicale depends on:
ii adduser 3.118
ii init-system-helpers 1.56+nmu1
ii lsb-base 10.2019051400
ii python3 3.7.3-1
ii python3-radicale 2.1.11-6
Versions of packages radicale recommends:
ii ssl-cert 1.0.39
Versions of packages radicale suggests:
pn apache2 <none>
pn apache2-utils <none>
pn libapache2-mod-proxy-uwsgi <none>
pn python3-bcrypt <none>
pn python3-passlib <none>
pn uwsgi <none>
ii uwsgi-plugin-python3 2.0.18-1
-- Configuration Files:
/etc/radicale/config changed:
[encoding]
request = utf-8
stock = utf-8
[well-known]
caldav = /
carddav = /
[auth]
type = LDAP
ldap_url = ldap://192.168.10.1/
ldap_base = ou=Account,dc=zombofant,dc=net
ldap_attribute = uid
ldap_filter = (objectClass=inetOrgPerson)
[storage]
type = multifilesystem
filesystem_folder = /var/lib/radicale/collectionsfnord
[rights]
type = from_file
file = /etc/radicale/rights
/etc/uwsgi-emperor/vassals/radicale.ini
[uwsgi]
http-socket = 0.0.0.0:9001
processes = 1
threads = 1
auto-procname = true
procname-prefix-spaced = [radicale]
harakiri = 30
need-plugin = python27
wsgi-file = /usr/share/radicale/radicale.wsgi
enable-threads = true
offload-threads = 1
-- no debconf information
