On Sun, 2007-03-18 at 19:13 +0100, Cristian Ionescu-Idbohrn wrote: > Package: zoneminder > Version: 1.22.3-4 > Severity: important > > First thing I noticed is zoneminder 'calls home'. I would have > expected this 'feature' to be set to 'no no', or at least be > configurable at install time. The documentation is poor, but I managed > to find some: > > ,---- /usr/share/zoneminder/zm_create.sql > | insert into Config set Id = 111, > | Name = 'ZM_CHECK_FOR_UPDATES', > | Value = '1', > | Type = 'boolean', > | DefaultValue = 'yes', > | Hint = 'yes|no', > | Pattern = '(?i-xsm:^([yn]))', > | Format = ' ($1 =~ /^y/) ? \"yes\" : \"no\" ', > | Prompt = 'Whether to check with zoneminder.com for > | updated versions', > | Help = 'From ZoneMinder version 1.17.0 onwards new versions > | are expected to be more frequent. To save checking > | manually for each new version ZoneMinder can check > | with the zoneminder.com website to determine the > | most recent release. These checks are infrequent, > | about once per week, and no personal or system > | information is transmitted other than your current > | version number. If you do not wish these checks to > | take place or your ZoneMinder system has no > | internet access you can switch these check off with > | this configuration variable', > | Category = 'system', > | Readonly = '0', > | Requires = ''; > `---- > > ZM_CHECK_FOR_UPDATES is also mentioned in the release notes somewhere, but > nothing more. Anyhow, this 'feature' seems configurable (/etc/zm/zm.conf?). >
In the short-term I'll turn this off in the next release (-5). In the longer term I'll discuss whether this is really needed with the upstream author. > Which brings me to the other thing: the database password in > /etc/zm/zm.conf. That file and the directory are world readable. Maybe > not every sysadmin is happy with every user on the system being able > to read that. > My bad :-( That too will be corrected in -5. > I am now going to purge the package and wait until some proper security > measures are taken. > Fair enough. I intend to close this bug when -5 comes out with the two specific instances fixed (hopefully this week). I'll then also do an audit of the whole thing to check for other security problems. -- Peter Howard <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
