tags 665696 + security
clone 665696 -1
reassign -1 gosa
retitle -1 gosa: unescaped arguments used on a command line
found -1 gosa/2.6.11-3
found -1 gosa/2.6.11-3+squeeze1
fixed -1 gosa/2.7.3-1
tags -1 + squeeze fixed-upstream
blocks 665696 by -1
thanks
Hi!
So, the problem here was that %userPassw
[Samuel Krempp]
> yes the patch to gosa.conf I had first sent has to be reversed if
> GOsa is upgraded to escape userPassword (in functions.inc).
OK. Then I believe we should patch gosa instead to fix it properly
and completely, and get a fix into squeeze. For r1 we should probably
provide our o
Steven Chamberlain a écrit, le 27/03/2012 01:54:
Hi,
On 26/03/12 10:05, Petter Reinholdtsen wrote:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
The fix won't work. Using quotes in gosa.conf is no good if the
%userPassword substitution could contain doubl
Hi,
On 26/03/12 10:05, Petter Reinholdtsen wrote:
> The fix for gosa.conf is not upgradable, so we need to come up with a
> better idea.
The fix won't work. Using quotes in gosa.conf is no good if the
%userPassword substitution could contain double quotes.
As Samuel said, the correct fix is for
Petter Reinholdtsen a écrit, le 26/03/2012 11:05:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
options (keeping the old or
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
options (keeping the old or upgrading to the new file) are wrong.
The old file
Samuel Krempp a écrit, le 25/03/2012 11:41:
I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
"Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too. "
How serious i
Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the
only
tags 665696 + pending
thanks
[Samuel Krempp]
> following patch just adds the quoting, and was verified to fix the
> issue.
Thank you. I have commited the fix to svn.
--
Happy hacking
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of
package: debian-edu-config
severity: important
version: squeeze/r0
spaces need adequate quoting of the password variable in both gosa-sync
and gosa.conf.
It is also very likely a security hazard in letting the user-supplied
password string unquoted in those two files, whence severity=importan
10 matches
Mail list logo
