Package: redmine Severity: important Forwarded: https://salsa.debian.org/ruby-team/redmine/-/merge_requests/3 Tags: patch security
Hello, Upon installing, Redmine is configured with an admin Web account with well-known password "admin". This is insecure, as anyone with Web access is able to access the admin account right after the Redmine Web service becomes live. I think Debian packages must not expose interfaces accessible with well-known passwords. I propose a Debian-only patch [1] to set a random password in postinst script, and store it in a plaintext in a root-only readable location. This should mitigate the security issue. [1] https://salsa.debian.org/ruby-team/redmine/-/merge_requests/3 Best, Andrius
