reassign 475730 request-tracker3.8 thanks On Sat, Apr 12, 2008 at 06:26:34PM +0300, Niko Tyni wrote: > Package: request-tracker3.6 > Version: 3.6.6-2 > Severity: normal > > The initial password for the RT superuser 'root' (separate from the > local root account, of course) is currently set to 'password' on new > installs. > > As the database is now created automatically since 3.6.6-2, this would be > a gaping security hole if the system was reachable on the web after the > default install. As things are, the web server must first be configured > manually, so things are not quite that bad. > > The right thing to do would be to prompt for the initial password via > debconf. This requires changes to rt-setup-database, and I'm not sure > yet if I'll implement this for Lenny, but I'm filing this as a reminder > in any case.
Good idea. Not something that is going to get changed in 3.6 now, so reassigning this to request-tracker3.8. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
