On Tue, Jun 19, 2007 at 09:28:05PM +0100, Stefano Zacchiroli wrote: > Package: zope-debhelper > Version: 0.3.9 > Severity: grave > Tags: security > > The maintainer scripts generated by zope-debhelper leave passwords in > /var/cache/debconf/config.dat. Passwords are therefor world readable by > any user of the system. Tagging this bug a security since this is a > local privilege escalation: users can access instances as the > administrator user.
they should go in /var/cache/debconf/passwords.dat instead (and that is where zope-common did put them AFAICT) a. -- Andrea Mennucc "The EULA sounds like it was written by a team of lawyers who want to tell me what I can't do, and the GPL sounds like it was written by a human being who wants me to know what I can do." Anonymous, http://www.securityfocus.com/columnists/420 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
