Your message dated Fri, 8 May 2009 10:46:16 +0200
with message-id <[email protected]>
and subject line Re: Bug#527476: prewikka: password file world-readable
has caused the Debian Bug report #527476,
regarding prewikka: password file world-readable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
527476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527476
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: prewikka
Severity: important
Tags: security
Hi,
Redhat recently issued security updates for prewikka [0] because the
password file is world readable. The text of the issue is:
| The permissions on the prewikka.conf file are world readable and contain the
sql
| database password used by prewikka. This update makes it readable just
| by the apache group.
Please determine whether debian is affected by this issue. If so,
please coordinate with the security team ([email protected]) to
prepare updates for the stable releases.
Thank you,
Mike
[0] http://lwn.net/Articles/330642
--- End Message ---
--- Begin Message ---
On Thu, May 07, 2009 at 04:03:05PM -0400, Michael S. Gilbert wrote:
> Package: prewikka
> Severity: important
> Tags: security
>
> Hi,
>
> Redhat recently issued security updates for prewikka [0] because the
> password file is world readable. The text of the issue is:
>
> | The permissions on the prewikka.conf file are world readable and contain
> the sql
> | database password used by prewikka. This update makes it readable just
> | by the apache group.
>
> Please determine whether debian is affected by this issue. If so,
> please coordinate with the security team ([email protected]) to
> prepare updates for the stable releases.
Hi,
While I appreciate the effort of checking security related things, I'll
just point out that the verification was fairly trivial:
$ grep -C1 chmod debian/prewikka.postinst
# make sure conf file has the correct permissions and owner/group
chmod 640 /etc/prewikka/prewikka.conf
$ grep -C2 prewikka.conf debian/changelog
prewikka (0.9.11.3-2) unstable; urgency=low
* Make sure prewikka.conf is not world-readable
-- Pierre Chifflier <[email protected]> Fri, 08 Jun 2007 15:35:25 +0200
The problem was fixed in 0.9.11.3-2, and current Debian version (in both
stable, testing and unstable) is 0.9.14-2, so I'm closing the bug.
Cheers,
Pierre
>
> Thank you,
> Mike
>
> [0] http://lwn.net/Articles/330642
>
>
signature.asc
Description: Digital signature
--- End Message ---
