On 30.07.2012 21:09, Alexander Wirt wrote:
On Mon, 30 Jul 2012, Yves-Alexis Perez wrote:
Source: icinga
Severity: grave
Tags: security
Justification: user security hole
Hi,
DB creation scripts shipped in icinga-idoutils are insecure (they grant
privileges for all users). See
https://bugzilla.novell.com/show_bug.cgi?id=767319 and:
https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab
https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63
As far as I can tell the bug in stable is only in documentation, but in
Wheezy it affects the scripts too. Please backport the changes and only
upload a targeted fix.
hmm? we use dbconfig-common. We don't use this script, we also don't install
README.RHEL.idoutils anywhere. So this is docs only.
docs was fixed in 1.7.1, since this was released on 18.6.2012
see icinga-core.git branch r1.7, cd docbook, git pull && git log
commit 619a08ca1178144b8a3a5caafff32a2d3918edab
Author: Wolfgang <w...@gmx.net>
Date: Fri Jun 15 19:08:55 2012 +0200
docs issue #2690: limit grant to icinga db
so it's a bug in a script which is shipped example wise upstream. SuSe
packages are the only known pkg source using those scripts, even the
repoforge rpms do not use those scripts (therefore the
README.RHEL.idoutils fix by me). so this might still be an issue, but
only for those manually invoking such scripts from the examples.
kind regards,
Michael
--
DI (FH) Michael Friedrich
Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria
email: michael.friedr...@univie.ac.at
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net
Lead Icinga Core Developer
http://www.icinga.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
