Package: tomcat5.5 Severity: grave Tags: security Justification: user security hole
/var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions 644. I consider this a security problem, because it's all too easy to add the admin or manager roles while forgetting to change the file permissions to something more restrictive, thus revealing the authentication data used to manage the Tomcat installation to all local users. I suggest the file be chmodded to 600 during installation. -- System Information: Debian Release: etch Architecture: i386 (i686) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]