Package: zoneminder Version: 1.22.3-4 Severity: important First thing I noticed is zoneminder 'calls home'. I would have expected this 'feature' to be set to 'no no', or at least be configurable at install time. The documentation is poor, but I managed to find some:
,---- /usr/share/zoneminder/zm_create.sql | insert into Config set Id = 111, | Name = 'ZM_CHECK_FOR_UPDATES', | Value = '1', | Type = 'boolean', | DefaultValue = 'yes', | Hint = 'yes|no', | Pattern = '(?i-xsm:^([yn]))', | Format = ' ($1 =~ /^y/) ? \"yes\" : \"no\" ', | Prompt = 'Whether to check with zoneminder.com for | updated versions', | Help = 'From ZoneMinder version 1.17.0 onwards new versions | are expected to be more frequent. To save checking | manually for each new version ZoneMinder can check | with the zoneminder.com website to determine the | most recent release. These checks are infrequent, | about once per week, and no personal or system | information is transmitted other than your current | version number. If you do not wish these checks to | take place or your ZoneMinder system has no | internet access you can switch these check off with | this configuration variable', | Category = 'system', | Readonly = '0', | Requires = ''; `---- ZM_CHECK_FOR_UPDATES is also mentioned in the release notes somewhere, but nothing more. Anyhow, this 'feature' seems configurable (/etc/zm/zm.conf?). Which brings me to the other thing: the database password in /etc/zm/zm.conf. That file and the directory are world readable. Maybe not every sysadmin is happy with every user on the system being able to read that. I am now going to purge the package and wait until some proper security measures are taken. Cheers, Cristian -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (99, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1) Versions of packages zoneminder depends on: ii apache2-mpm-prefork 2.2.3-3.3 Traditional model for Apache HTTPD ii ffmpeg 3:20070221-0.0 audio/video encoder, streaming ser ii libapache2-mod-php4 6:4.4.4-8+etch1 server-side, HTML-embedded scripti ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libdate-manip-perl 5.44-5 a perl library for manipulating da ii libgcc1 1:4.1.1-21 GCC support library ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libmime-perl 5.420-0.1 Perl5 modules for MIME-compliant m ii libmysqlclient15off 5.0.32-7 mysql database client library ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 ii libwww-perl 5.805-1 WWW client/server library for Perl ii mysql-client 5.0.32-7 mysql database client (meta packag ii mysql-client-5.0 [mysql- 5.0.32-7 mysql database client binaries ii mysql-server 5.0.32-7 mysql database server (meta packag ii mysql-server-5.0 [mysql- 5.0.32-7 mysql database server binaries ii php4 6:4.4.4-8+etch1 server-side, HTML-embedded scripti ii php4-mysql 6:4.4.4-8+etch1 MySQL module for php4 ii zlib1g 1:1.2.3-13 compression library - runtime zoneminder recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
