Package: pyblosxom Severity: normal
I got an email from Ted who got an email from David who got an email from Zack which reads as follows: > Hello, > > I discovered this vulnerability while playing with pyblosxom, which uses > python files to store configuration information. The way it is packaged > by Debian, the global config file /etc/pyblosxom/config.py is created > with 640 permissions, owned by the root user and the www-data group, of > which apache httpd is a member. When the config file is imported by > pyblosxom, a config.pyc is created with 644 permissions. If, for > example, an XMLRPC password is specified in that file, it will be > readable by any user. I'm not sure how to go about dealing with this though feel free to toss me an email so we can discuss and see if it's something I need to fix in PyBlosxom proper or something you can fix in the Debian package. This is critical only because it potentially reveals the XMLRPC username/password and any other configuration information in the config.py file. /will -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.23 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
