Your message dated Sat, 10 Feb 2007 18:02:02 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#410349: fixed in hellanzb 0.11-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: hellanzb Version: 0.10-1 Severity: important Tags: patch *** Please type your report below this line *** The installed configfile /etc/hellanzb.conf contains the following: Hellanzb.XMLRPC_PASSWORD = "changeme" While this is a reasonable recommendation, it is an active value, and will allow users to connect using the password "changeme" to control any runnning hellanzb daemon, resulting in at least denial of service possibilities. The obvious possibilities include shutting the daemon down, filling the disk, and causing hellanzb to download content of the attacker's choosing (by creating a post on usenet and then submitting a matching nzb). The last may be significantly helpful in mounting an intrusion attack. I do not know if hellanzb's postprocessing is safe against unpacking executable-bit-set files. Also there is the unplesantness of having this program (which I'm sure is not really designed with security as the first priority) listening to the internet on a default port, when it is not really apparent that it will behave as a network server. Additionally, there have been security problems within XMLRPC implementations before, and hellanzb itself may not even need to have a flaw to expose the user. Recommendations: - Consider adding a debconf setting to force the administrator to pick some kind of password, or at least to warn about the issue on install. - Consider patching hellanzb to refuse to start when a password is not explicitly set (this may be true now, I'm not in a good position to test at the moment), requiring the administrator or user to edit the configfile and choose a password of their own. - Patch hellanzb to listen on the interface supplied in Hellanzb.XMLRPC_SERVER, or perhas a new, additional config value such as Hellanzb.XMLRPC_LISTEN An example patch (generated in reverse) is located in the upstream ticket system here: http://www.hellanzb.com/trac/hellanzb/ticket/249 Applying this patch with the current configfile will cause Hellanzb to listen to localhost only in combination with the current default configuration file, which will be a marked improvement to the package. The author is understanding of the issue and may apply this patch or a variant in the future. - Really the ideal would be for the IPC to work over UNIX domain sockets by default, but I'm certainly not going to bother to author that patch. :-) By the way, thanks for packaging this program. It works very well. Your confDirs patch is a nice touch, which I used when upgrading to 0.11 myself. -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.19.2-jsr1 Locale: LANG=en_US.iso88591, LC_CTYPE=en_US.iso88591 (charmap=ISO-8859-1) Versions of packages hellanzb depends on: ii par2 0.4-8 Parity Archive Volume Set, for che ii python 2.4.4-2 An interactive high-level object-o ii python-support 0.5.6 automated rebuilding support for p ii python-twisted-core 2.4.0-3 Event-based framework for internet ii python-twisted-web 0.6.0-1 An HTTP protocol implementation to hellanzb recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: hellanzb Source-Version: 0.11-1 We believe that the bug you reported is fixed in the latest version of hellanzb, which is due to be installed in the Debian FTP archive: hellanzb_0.11-1.diff.gz to pool/main/h/hellanzb/hellanzb_0.11-1.diff.gz hellanzb_0.11-1.dsc to pool/main/h/hellanzb/hellanzb_0.11-1.dsc hellanzb_0.11-1_all.deb to pool/main/h/hellanzb/hellanzb_0.11-1_all.deb hellanzb_0.11.orig.tar.gz to pool/main/h/hellanzb/hellanzb_0.11.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adam Cécile (Le_Vert) <[EMAIL PROTECTED]> (supplier of updated hellanzb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 10 Feb 2007 15:01:20 +0100 Source: hellanzb Binary: hellanzb Architecture: source all Version: 0.11-1 Distribution: experimental Urgency: low Maintainer: Adam Cécile (Le_Vert) <[EMAIL PROTECTED]> Changed-By: Adam Cécile (Le_Vert) <[EMAIL PROTECTED]> Description: hellanzb - Newzbin (nzb) & BinNews (bns) files downloader and post-processor Closes: 410349 Changes: hellanzb (0.11-1) experimental; urgency=low . * New upstream release. * Update conffile search path patch. * Add a new patch to choose where the XMLRPC server will be binded, default 127.0.0.1 (Closes: #410349). * Do not ship a hellanzb.cnf anymore; patch and install the upstream one. * Attention: Configuration file has changed. See NEWS.Debian. Files: 7fa27206a26a87a78c816524de6c9e9d 673 net extra hellanzb_0.11-1.dsc ca1c1ad974b74fd412fb821366c13d92 160144 net extra hellanzb_0.11.orig.tar.gz 9247d069d525454197b6372abdd97eb1 7426 net extra hellanzb_0.11-1.diff.gz 03260b6559781db3164635a1b762ebe6 169584 net extra hellanzb_0.11-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFzgYT+C5cwEsrK54RAhqaAJ9GcjVY9fyNz5U1ekNziZ7kgEajAgCeOCUR GCj7PB6M9VFA9Zsmu7aStk0= =mTvl -----END PGP SIGNATURE-----
--- End Message ---
