Hello On Wed, Oct 05, 2005 at 01:16:23PM -0400, Mike O'Connor wrote: > Package: horde3 > Version: 3.0.5-1 > Severity: critical > Tags: security > Justification: root security hole > > In the README.Debian, in section 6. it is recommended that the end > user executes: > > chown root.www config/* > chmod 0440 config/* > > becuase the "Some of Horde's configuration files contain passwords which > local users could use to access your database". > > This is somehting that should be done by the maintainer scripts and not > left up to the end user to do.
I'm not sure that I agree with you here. In order to add a password there you have to change the permissions of these files anyway. Regards, // Ola > > -- System Information: > Debian Release: testing/unstable > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.12-1-686 > Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) > > Versions of packages horde3 depends on: > ii apache [httpd] 1.3.33-7 versatile, high-performance HTTP > s > ii libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded > scripti > ii php4 4:4.3.10-15 server-side, HTML-embedded > scripti > ii php4-cli [phpapi-20020918] 4:4.3.10-15 command-line interpreter for the > p > ii php4-domxml 4:4.3.10-15 XMLv2 module for php4 > ii php4-pear 4:4.3.10-15 PEAR - PHP Extension and > Applicati > ii php4-pear-log 1.6.0-1.1 Log module for PEAR > > Versions of packages horde3 recommends: > ii logrotate 3.7.1-2 Log rotation utility > pn php-date <none> (no description available) > pn php-file <none> (no description available) > pn php-mail-mime <none> (no description available) > pn php-services-weather <none> (no description available) > pn php4-gd | php4-gd2 <none> (no description available) > pn php4-mcrypt <none> (no description available) > pn php4-mysql | php4-pgsql | php <none> (no description available) > > -- no debconf information > > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
