Bug#425010: marked as done (mantis: Config file with CLEAR PASSWORD is world-wide readable!!)

Fri, 04 Sep 2009 12:10:04 -0700 

Your message dated Fri, 04 Sep 2009 18:32:30 +0000
with message-id <e1mjdai-0006ej...@ries.debian.org>
and subject line Bug#425010: fixed in mantis 1.1.6+dfsg-2lenny1
has caused the Debian Bug report #425010,
regarding mantis: Config file with CLEAR PASSWORD is world-wide readable!!
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
425010: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=425010
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: mantis
Version: 1.0.6+dfsg-4.1
Severity: grave

After an upgrade of Mantis, the config file /etc/mantis/config_db.php
is world-wide readable and contains the clear password of my SQL
database!!!

Please urgently fix this as it creates a very big security hole.

The previous versions of Mantis was smarter:

  -rw-r-----  1 root www-data 1887 2007-05-18 11:27 config.php
         ^^^         ^^^^^^^^

I've 'chgrp www-data' and 'chmod 640' the new file
/etc/mantis/config_db.php and it's working.

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.20-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mantis depends on:
ii  apache                      1.3.34-4.1   versatile, high-performance HTTP s
ii  apache2                     2.2.3-4      Next generation, scalable, extenda
ii  apache2-mpm-prefork [apache 2.2.3-4+b1   Traditional model for Apache HTTPD
ii  dbconfig-common             1.8.33       common framework for packaging dat
ii  debconf                     1.5.13       Debian configuration management sy
ii  libapache2-mod-php5         5.2.2-1+b1   server-side, HTML-embedded scripti
ii  libphp-adodb                4.94-1       The 'adodb' database abstraction l
ii  libphp-phpmailer            1.73-3       full featured email transfer class
ii  php4-cli                    6:4.4.6-2+b1 command-line interpreter for the p
ii  php4-mysql                  6:4.4.6-2+b1 MySQL module for php4
ii  php5-cli                    5.2.2-1+b1   command-line interpreter for the p
ii  php5-mysql                  5.2.2-1+b1   MySQL module for php5

mantis recommends no packages.

-- debconf information:
  mantis/dbconfig-reinstall: false
* mantis/dbconfig-install: true
* mantis/remote/newhost: localhost
  mantis/title: Mantis
* mantis/url: http://localhost/mantis/
  mantis/upgrade-backup: true
  mantis/internal/skip-preseed: false
  mantis/install-error: abort
  mantis/internal/reconfiguring: false
  mantis/dbconfig-remove:
* mantis/bounce: r...@wide.bouthors.org
* mantis/db_autoupdate: true
* mantis/ldap: false
  mantis/ldap_server: localhost
  mantis/version:
  mantis/from: man...@localhost
  mantis/show_version: true
  mantis/root_mysql: root
  mantis/passwords-do-not-match:
  mantis/signup: true
* mantis/admin: r...@wide.bouthors.org
* mantis/mysql/admin-user: root
* mantis/remote/port:
* mantis/username: mantis
  mantis/purge: false
* mantis/webmaster: webmas...@wide.bouthors.org
* mantis/dbconfig-upgrade: false
  mantis/remove-error: abort
* mantis/remote/host: localhost
* mantis/purge_db: true
* mantis/db/app-user: mantis
* mantis/mysql/method: tcp/ip
  mantis/dn: dn=
  mantis/mysql_port: 3306
* mantis/webserver: apache
* mantis/db/dbname: bugtracker
* mantis/database-type: mysql
  mantis/upgrade-error: abort
* mantis/app_configure: true
  mantis/language: english
* mantis/mysql_server: localhost
* mantis/database: bugtracker
  mantis/organisation:
-- 
 ,''`.
: :' :      Cyril Bouthors
`. `'         Debian.org
  `-

Attachment: pgpi31EP3ofkt.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: mantis
Source-Version: 1.1.6+dfsg-2lenny1

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_1.1.6+dfsg-2lenny1.diff.gz
  to pool/main/m/mantis/mantis_1.1.6+dfsg-2lenny1.diff.gz
mantis_1.1.6+dfsg-2lenny1.dsc
  to pool/main/m/mantis/mantis_1.1.6+dfsg-2lenny1.dsc
mantis_1.1.6+dfsg-2lenny1_all.deb
  to pool/main/m/mantis/mantis_1.1.6+dfsg-2lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 425...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Schoenfeld <schoenf...@debian.org> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 31 Jul 2009 14:17:34 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.1.6+dfsg-2lenny1
Distribution: stable-security
Urgency: high
Maintainer: Patrick Schoenfeld <schoenf...@debian.org>
Changed-By: Patrick Schoenfeld <schoenf...@debian.org>
Description: 
 mantis     - web-based bug tracking system
Closes: 425010
Changes: 
 mantis (1.1.6+dfsg-2lenny1) stable-security; urgency=high
 .
   * Urgency high because this upload fixes a security issue
   * Fix a security issue with the default permissions of the database
     configuration. It has been world-readable. It is now fixed for
     new installations and previous installations are (carefully)
     updated. (Closes: #425010)
Checksums-Sha1: 
 7bc7a4b57195f3aeca0a9d3c1ec8fa98dfe4a1f5 1208 mantis_1.1.6+dfsg-2lenny1.dsc
 e6c7bd4bccf8f26a13fd4ee44bcb61cf332afd0e 2044082 mantis_1.1.6+dfsg.orig.tar.gz
 b14a6c9fabe83221e52be0051e27f49391b182d9 45118 
mantis_1.1.6+dfsg-2lenny1.diff.gz
 feffa58aa8bfc1c347782ea1d5124e0c6b2ff63f 1744390 
mantis_1.1.6+dfsg-2lenny1_all.deb
Checksums-Sha256: 
 0a1faac9eba072546e72950803f1a6c7632f19b731a46fe869456c176e204c71 1208 
mantis_1.1.6+dfsg-2lenny1.dsc
 98fd890c1580c9ae554d51e5087da0eb61c0425a43993923d99637dcd54c2903 2044082 
mantis_1.1.6+dfsg.orig.tar.gz
 8ffde9c10f29dfdc5373c6b5e5d0dfac035fdce3646146147077db3c951ee997 45118 
mantis_1.1.6+dfsg-2lenny1.diff.gz
 a69f0087735adf54d526b0693c9f6cdf59bbd30ebaf8f766fa273b5a539cb79a 1744390 
mantis_1.1.6+dfsg-2lenny1_all.deb
Files: 
 f77403f035efa94936500520fe273692 1208 web optional 
mantis_1.1.6+dfsg-2lenny1.dsc
 429853b8caacc9e713b686524524418a 2044082 web optional 
mantis_1.1.6+dfsg.orig.tar.gz
 68a32687bce135f3032a184c8ebf788f 45118 web optional 
mantis_1.1.6+dfsg-2lenny1.diff.gz
 7a7ff3cd017be50fa3ba162ac82eb3de 1744390 web optional 
mantis_1.1.6+dfsg-2lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp37XIACgkQbdB4RPTVesqIhgCfb5VKOP5JmEPNddsrJBTiy6R0
290AnipMV/8FUB07e/Ds30MV59P5BzeC
=NW6m
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to