Your message dated Fri, 17 May 2013 11:43:14 +0000
with message-id <e1udj46-0003ib...@franck.debian.org>
and subject line Bug#707941: Removed package(s) from unstable
has caused the Debian Bug report #564561,
regarding Security issue: MySQL root password stored in /etc/gallery2/config.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
564561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gallery2
Version: 2.3-1
Severity: normal
When configuring the gallery2 package, it asks for a
"Database admin user account capable of creating new databases."
In other debian packages that use MySQL, the install scripts creates a new
database and a new MySQL user with write access to that database. The
gallery package however stores the admin user and password typed in during
configuration in /etc/gallery2/config.php. This is not expected and not
wanted. Since this file is owned by www-data, a minor bug in any php
script can cause the MySQL root password to be revealed.
This might be related to bug #328778
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (990, 'stable'), (400, 'testing'), (300, 'experimental'), (300,
'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31.6-Soleus64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages gallery2 depends on:
ii apache2 2.2.9-10+lenny6 Apache HTTP Server metapackage
ii apache2-mpm-pre 2.2.14-3 Apache HTTP Server - traditional n
ii debconf [debcon 1.5.24 Debian configuration management sy
ii imagemagick 7:6.3.7.9.dfsg2-1~lenny3 image manipulation programs
ii libapache2-mod- 5.2.11.dfsg.1-1 server-side, HTML-embedded scripti
ii libphp-adodb 5.09a-1 The ADOdb database abstraction lay
ii mysql-client-5. 5.0.51a-24+lenny2 MySQL database client binaries
ii php5 5.2.11.dfsg.1-1 server-side, HTML-embedded scripti
ii php5-mysql 5.2.11.dfsg.1-1 MySQL module for php5
ii smarty 2.6.26-0.1 Template engine for PHP
ii wwwconfig-commo 0.2.1 Debian web auto configuration
Versions of packages gallery2 recommends:
ii dcraw 8.86-1 decode raw digital camera images
ii ffmpeg 5:0.5+svn20091224-0.0 audio/video encoder, streaming ser
ii jhead 1:2.88-1 manipulate the non-image part of E
ii libjpeg-progs 7-1 Programs for manipulating JPEG fil
ii php5-gd 5.2.11.dfsg.1-1 GD module for php5
ii unzip 5.52-12 De-archiver for .zip files
ii zip 2.32-1 Archiver for .zip files
Versions of packages gallery2 suggests:
ii mysql-server-5.0 [mysq 5.0.51a-24+lenny2 MySQL database server binaries
-- debconf information:
gallery2/webserver_type: apache, apache-ssl, apache-perl, apache2
gallery2/mysql/dbname: gallery2
* gallery2/mysql/dbserver: localhost
gallery2/mysql/configure: true
* gallery2/restart-webserver: false
gallery2/purge: true
* gallery2/mysql/dbadmin: root
--- End Message ---
--- Begin Message ---
Version: 2.3.2.dfsg-1+rm
Dear submitter,
as the package gallery2 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/707941
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@debian.org.
Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)
--- End Message ---
