Your message dated Wed, 27 Nov 2013 09:51:22 +0000 with message-id <[email protected]> and subject line Bug#730121: Removed package(s) from unstable has caused the Debian Bug report #723200, regarding mantis install.php creates database user with wrong permissions to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 723200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723200 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: mantis Version: 1.2.11-1.2 Tags: security It seems, that a bug in Ubuntu [2] mantis package is also present in package mantis_1.2.11-1.2_all.deb (Debian stable). The problematic code is in /usr/share/mantis/www/admin/install.php causing mantis-install to grant privileges to wrong user@hostname combination. This is only relevant when apache-server and database are not on the same host. The correct grant should be [user]@[webserver hostname/IP] to grant only access to webserver but grants privileges to [user]@[database host name] instead. When mysql is running in hardened setup, this also causes installation procedure to fail since webserver cannot use the database. $t_result = @$g_db->Connect ( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name); switch ($f_db_type) { case 'mysql' : case 'mysqli' : //grant privileges $t_query_grant ="GRANT ALL ON `".$f_database_name."`.* TO `".$f_db_username."`@`".$f_hostname."` IDENTIFIED BY '".$f_db_password."' "; Correct implementation should perhaps take the IP/hostname of the currently executed query remote user and use that when granting privileges. This bug has only very little security implications since unexpected and unnecessary GRANT entry is created in mysql.user table but the new account is still password protected and connections would only be possible from other process on database host itself (or does mysql support switching of user via SQL-command and local connection?). Flagging it as "security" still, perhaps someone else might know a more problematic scenario. Current mantisbt-1.2.15 for download from mantisbt.org does not create any users (see [1]), so this code might have been removed/fixed between version 1.2.11 and 1.2.15 or may be a Debian-specific addition. [1] http://www.mantisbt.org/forums/viewtopic.php?f=3&t=21663 [2] https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1222713
--- End Message ---
--- Begin Message ---Version: 1.2.11-1.2+rm Dear submitter, as the package mantis has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see http://bugs.debian.org/730121 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Luca Falavigna (the ftpmaster behind the curtain)
--- End Message ---
