Bug#739592: marked as done (roundcube-plugins: Config files world readable)

Debian Bug Tracking System Sat, 22 Aug 2015 10:52:20 -0700

Your message dated Sat, 22 Aug 2015 17:49:17 +0000
with message-id <[email protected]>
and subject line Bug#739592: fixed in roundcube 1.1.2+dfsg.1-3
has caused the Debian Bug report #739592,
regarding roundcube-plugins: Config files world readable
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
739592: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739592
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: roundcube-plugins
Version: 0.9.5-1~bpo70+1
Severity: important


Dear Debian folks,


it’s not a direct issue, but people copying over the example file, get a
world readable file, which is not a good idea, if passwords for
databases are stored in them.

        # ls -lh /etc/roundcube/plugins/password/config.inc.php
        -rw-r--r-- 1 root root 127 Nov  3 19:28 
/etc/roundcube/plugins/password/config.inc.php
        # cp -a /usr/share/roundcube/plugins/password/config.inc.php.dist 
/etc/roundcube/plugins/password/config.inc.php
        # ls -lh /etc/roundcube/plugins/password/config.inc.php
        -rw-r--r-- 1 root root 14K Oct 21 19:39 
/etc/roundcube/plugins/password/config.inc.php

For example the database password is stored in the variable below.

        $rcmail_config['password_db_dsn']

One could argue that the user/administrator should take care of that but
a note in the empty configuration file would be helpful so that this is
not overlooked. No idea if you can think of other ways.


Thanks,

Paul

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 1.1.2+dfsg.1-3

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Knauß <[email protected]> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 22 Aug 2015 18:23:30 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 1.1.2+dfsg.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Sandro Knauß <[email protected]>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - 
plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 739592 771659 788448 793857 793858
Changes:
 roundcube (1.1.2+dfsg.1-3) unstable; urgency=medium
 .
   * Handle dir to symlink migration for /usr/share/doc/roundcube{,-plugins}.
     Closes: #788448
   * Put a warning about access rights in empty configuration files for
     plugins. Closes: #739592
   * Depends on php5-pspell for roundcube-plugins. Closes: #793857
   * Remove /etc/roundcube/config.inc.php on purge. Closes: #793858
   * Add back Enigma plugin. Closes: #771659
   * Redact logout.html to not use a remote jquery.js.
   * Don't ship license.txt with TinyMCE.
Checksums-Sha1:
 7c39998608818cc1f81e0fcd0426a48cb16ad0f1 2385 roundcube_1.1.2+dfsg.1-3.dsc
 7d39df79adcde1f0a842f5b9d6ae3dd213271422 1763128 
roundcube_1.1.2+dfsg.1-3.debian.tar.xz
 4f027fb441184d9fabfc2c84c860922b634559dc 1934280 
roundcube-core_1.1.2+dfsg.1-3_all.deb
 cfa842f022529acc9dad9274fe67e8b26243478f 21636 
roundcube-mysql_1.1.2+dfsg.1-3_all.deb
 cf3599fb65beaebfd9171606ab1c787bef2c7a7f 21624 
roundcube-pgsql_1.1.2+dfsg.1-3_all.deb
 cacd62871ed5151cc5cb381661c2e477c96b8e31 580996 
roundcube-plugins_1.1.2+dfsg.1-3_all.deb
 89a6bcb361f8538e7610cc0e7678786dae80f906 21602 
roundcube-sqlite3_1.1.2+dfsg.1-3_all.deb
 29caff73388ecd0b2e41ffd474a58ae6eb804127 1330 roundcube_1.1.2+dfsg.1-3_all.deb
Checksums-Sha256:
 cc9949a2baafa27bc15a5ab128ae99af97431f45f7ff40d0cc72bd456d35b762 2385 
roundcube_1.1.2+dfsg.1-3.dsc
 d12df439b6a6cfdc39f591cfe44826b607262ae54d2470d92ba7ece25a69330c 1763128 
roundcube_1.1.2+dfsg.1-3.debian.tar.xz
 a4cf5f2882e5c23fda285e9e6fd94debfd3836f22f68f5bdbc0f509341d52cbc 1934280 
roundcube-core_1.1.2+dfsg.1-3_all.deb
 2b2e8083a575c2df50f1297198a40d05ef2fb3bc3c4589bb3542184767c7de5a 21636 
roundcube-mysql_1.1.2+dfsg.1-3_all.deb
 a7479d0d5492070634b59c297fdafafcead47d06b3d36fd9f2926fe0c532aa2e 21624 
roundcube-pgsql_1.1.2+dfsg.1-3_all.deb
 8ce48542080afe6cb420ebb57a6d4f831a3d9b0cc50636b03843c506dbd37dbe 580996 
roundcube-plugins_1.1.2+dfsg.1-3_all.deb
 88c73ab1d2f349367bc7c25524720bc2630733b85be98bae8d0ba753b7056f6c 21602 
roundcube-sqlite3_1.1.2+dfsg.1-3_all.deb
 4e4f47fdfce31d4c93152f3f1c23646e8a325e52ee718491b188aaa51910172f 1330 
roundcube_1.1.2+dfsg.1-3_all.deb
Files:
 b5780a6544add85f33b8f1eae90eea49 2385 web extra roundcube_1.1.2+dfsg.1-3.dsc
 229c11f563e79eabf6f2075e2909d8ff 1763128 web extra 
roundcube_1.1.2+dfsg.1-3.debian.tar.xz
 d8fc8cba1695ed89fc3d184fbc5e01fd 1934280 web extra 
roundcube-core_1.1.2+dfsg.1-3_all.deb
 c47f662c983a097d4aa3c55bdd7d87eb 21636 web extra 
roundcube-mysql_1.1.2+dfsg.1-3_all.deb
 a3e8c377d932eee3eeae2e716b4f9c72 21624 web extra 
roundcube-pgsql_1.1.2+dfsg.1-3_all.deb
 1caf393865ebb33c6b3837be9e5ed11c 580996 web extra 
roundcube-plugins_1.1.2+dfsg.1-3_all.deb
 6670f1c3eff8718bd91b4116e7e92353 21602 web extra 
roundcube-sqlite3_1.1.2+dfsg.1-3_all.deb
 c1c5f3419974f85d9bded667c0192eff 1330 web extra 
roundcube_1.1.2+dfsg.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV2LSCAAoJEJWkL+g1NSX5ZPUP/izJ1POJYzUsKPKu0/eaPA0Q
awuaYrmdtMm1VvPvUAZyUnUnUimsmt1RuNkg3gW17eKK49XhOWWukOzFJwns3wBa
I85SxZmAJg2d7vkwEO51MTbU7WefW+EXI6mYIWw5/0Mo/SAdix642iKSxPIdATeJ
vsXU+f+uNnUxxNOmFjnJaIsMtEuF1SCGE++kOGDZXn/hT2xTHFGvedIDU2r5fBw4
BLyTG8krHT6tsT1AWQo0Y1PlV3NmwUqdIZNk8+XUvUg0k4m5TuPqqZTQwnXXm8ZP
lIqAwOPhO2vJx9hjkjN0BxG6GDqk0xU6Upr8QLPP1tl9JqqnmXFhhsJSRp+ocJD1
0EoHFM3qUCnKFp16dbvfRBornSgCoGW0dVB4r0lBmuFQWhDJN7o/e9g2d4d0ezbg
KKhug41imaFpSVewSrJQQPQfP2dJ/g4Q8LBXGE1ztuyYXDIlFOYED0iyKjVh45iO
mkRSv8EUGHRqa9vCOwT5SCUOo17X9FpPyIyeLdeQmq/sSajzYZouZgVBAWgg9yQq
poM6XRH/7YWSCKHQzFvEDLxONpTjlp6vX5Vo7D1ieFehXxCFdQlvWIEDZskCk5ek
gL4l92Znyl/OlOg41RgKqupB/XSX/3cPK59/xE+3yRK5sEiK6zhH4I3LliQeh7+C
LG/m4ya7DsQaRuaQH/sz
=8tMh
-----END PGP SIGNATURE-----

--- End Message ---

Bug#739592: marked as done (roundcube-plugins: Config files world readable)

Reply via email to