Your message dated Fri, 17 Oct 2014 16:02:31 +0000
with message-id <[email protected]>
and subject line Bug#757438: fixed in unattended-upgrades 0.83
has caused the Debian Bug report #757438,
regarding exposes entire dpkg upgrade log to non-root users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
757438: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757438
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unattended-upgrades
Version: 0.79.5
Severity: normal
Tags: security
/var/log/unattended-upgrades/ is readable by all, so when this package is
run on a multi-user system, non-admin users can trawl the upgrade logs
for interesting information.
I don't know what they might find.. Which is the concern. When writing a
postinst script, the assumption is probably that only an admin, or
possibly a shoulder-surfer might see its output. So I'd not be surprised
if some of them leak information that is in some way sensative, though
probably not password-level sensitive.
Ah, let's pick on one of my own packages -- when etckeeper is installed,
it makes commits of changes in /etc and allows git to display its usual
summary of changes. So the log can contain something like this:
[master d7acbf4] saving uncommitted changes in /etc prior to apt run
2 files changed, 317 insertions(+)
create mode 100644 ssl/private/apache.pem
create mode 100644 ssl/certs/apache.pem
.. Exposing the contents of directories that normal users
cannot see inside of. I would not worry much if a shoulder-surfer saw that,
but it's worrying to think that a user could extract all such messages from
all the upgrade logs and combine them to facilitate other attacks.
For example, in this case, a wily attacker might notice that I seem to
accidentially have an insecure o+r mode on the apache ssl cert, which is
protected only by the mode of /etc/ssl/private. Now they can look for a
security hole that allows hard linking to arbitrary files as root..
Any reason not to make the directory 750 root.adm?
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: unattended-upgrades
Source-Version: 0.83
We believe that the bug you reported is fixed in the latest version of
unattended-upgrades, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Vogt <[email protected]> (supplier of updated unattended-upgrades package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Oct 2014 15:50:29 +0200
Source: unattended-upgrades
Binary: unattended-upgrades
Architecture: source all
Version: 0.83
Distribution: unstable
Urgency: medium
Maintainer: Michael Vogt <[email protected]>
Changed-By: Michael Vogt <[email protected]>
Description:
unattended-upgrades - automatic installation of security upgrades
Closes: 757438 759693
Changes:
unattended-upgrades (0.83) unstable; urgency=medium
.
* add Unattended-Upgrade::Package-Whitelist to allow upgrading
only whitelisted regexp packagenames (plus their dependencies)
(thanks to Christopher Warner)
* add Unattended-Upgrade::Package-Whitelist-Strict boolean option
to make Unattended-Upgrade::Package-Whitelist also check if all
dependencies are whitelisted
* unattended-upgrades:
- fix output when "dpkg --configure -a" is run to recover
from a unclean state
- log to a rotated and compressed
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log
logfile instead of to multiple small logs (closes: #759693)
- log u-u commandline via apt logging in /var/log/apt/history.log
* debian/postinst:
- set /var/log/unattended-upgrades/ permissions to 0750
(closes: #757438). Thanks to Joey Hess
Checksums-Sha1:
3b971c9504d803d9873c338dc82bb86ec5783d51 1753 unattended-upgrades_0.83.dsc
afd7e021f9af825b9367763b22ebf7dda5c40a45 73240 unattended-upgrades_0.83.tar.xz
fdd99ada02ef2c1381ae37df818bd93d60bcc527 50948 unattended-upgrades_0.83_all.deb
Checksums-Sha256:
e19434cae227e63478f02c5aaf9146208a1aa427102af03b92fcd01810e934d7 1753
unattended-upgrades_0.83.dsc
5ca77b701e02d5bef6ac86c1b99d52fb7c191341524e389f9c4f308c366b0eec 73240
unattended-upgrades_0.83.tar.xz
24d3426be84aadc2cf38143256d6e4bdce1d7cfb49afe30e9357f3f11624dfc2 50948
unattended-upgrades_0.83_all.deb
Files:
f7a89a91642c8bd978fa2c0ab9f20444 1753 admin optional
unattended-upgrades_0.83.dsc
e5a3ea5fb8ae1192bbe08e43c747355b 73240 admin optional
unattended-upgrades_0.83.tar.xz
0ef0f3ea9fcb28b0188c74d5c973298a 50948 admin optional
unattended-upgrades_0.83_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUQSYVAAoJEJjKuzq9TKWetWEP/ROc2pxUn8WPkSaOmFEHxiXR
rNKbOLZJy8QladQAoQ+KsTBhzF8ohcoWp6OxkqY6DXvyxy2FpkEA+wIqdZjreqQK
zB6YdDUs45ae+Z5NTEBulbZdobIV59J/hLtH6NiFLHQYLXcjaf4sUAQPA8kfl7yd
Hr9H8DB+QJR556kyoL8p7KLD8gX8FxJlwgBf1PENrqgQARcjPToFL62wk3coxavg
kYpXfSC+/xtiRNcrnyysjgLaMiW4IiJjQt2rPl2G/VbYWgR1d+RK/OTxe3C8nFM2
Np+uhJ8lMQFLo1+w1X64mamkOyacg+rAKFTuLyo5Mt+Mc9ohJWLxg7CxWiv+JhAa
dakDXKg+T5W3X8gJHjPQcPiPphjyu+2+ujJ+/8nDPLTLrAxs+dijNYPce5VNXTwN
8CLirip1+lY2t9f5+UlgYqoSKfERvel0g6/+Nkp4F/T4skNyTqd/J69wat7ipNTj
d5gt3mgHjk9NqCYnNiSgC3fsOe3Y4vSrj9k9r8Yk+z5K+AczSReOoBl2B398Y/gr
AjYlmPdXsk0E5OfardPSIBGF2h9Xptw0qHelpcYIAxa4kcWbC6Qxe495i05MD9nl
wqX2mWyYIgl5cGZhFwsnC97FnuIzXNbJceps32tm62ayqZbGiAKQxAMkMZp/LlwP
o1Yn4OaRuiZAsUwOaJQX
=tR3t
-----END PGP SIGNATURE-----
--- End Message ---
