Package: freeradius Version: 1.1.7-1 Severity: grave Tags: security Justification: user security hole
By default freeradius leaves /var/log/freeradius with permissions 755. Enabling sqltrace will result in a world-readable sqltrace in this, possibly containing cleartext passwords. Been there, done that, lost two passwords. Is there a reason for having /var/log/freeradius world-readable? Syggestion: Change /var/log/freeradius permissions to 750. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages freeradius depends on: ii adduser 3.102 Add and remove users and groups ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libgdbm3 1.8.3-3 GNU dbm database routines (runtime ii libltdl3 1.5.22-4 A system independent dlopen wrappe ii libpam0g 0.79-5 Pluggable Authentication Modules l ii libperl5.8 5.8.8-7etch3 Shared Perl library ii libsnmp9 5.2.3-7etch2 NET SNMP (Simple Network Managemen ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip freeradius recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
