Package: backuppc Version: 2.1.2-6 Severity: critical Tags: security The default password generated at installation time is publically visible to any user with local access to the system on which backuppc is installed as it is included in the debconf database [1] as a variable for the backuppc/configuration-note template.
I've decided on severity critical for this issue as it potentially allows random users to start backup jobs for other systems and possibly interfere with backuped data. I'd suggest clearing this variable immediately after displaying the note. [1] /var/cache/debconf/config.dat -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages backuppc depends on: ii adduser 3.102 Add and remove users and groups ii apache2 2.2.3-4 Next generation, scalable, extenda ii apache2-mpm-worker [apache 2.2.3-4 High speed threaded model for Apac ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii dpkg 1.13.25 package maintenance system for Deb ii exim4 4.63-17 metapackage to ease exim MTA (v4) ii exim4-daemon-light [mail-t 4.63-17 lightweight exim MTA (v4) daemon ii libarchive-zip-perl 1.16-1 Module for manipulation of ZIP arc ii libcompress-zlib-perl 1.42-2 Perl module for creation and manip ii perl [libdigest-md5-perl] 5.8.8-7 Larry Wall's Practical Extraction ii perl-suid 5.8.8-7 Runs setuid Perl scripts ii samba-common 3.0.24-6etch4 Samba common files used by both th ii smbclient 3.0.24-6etch4 a LanManager-like simple client fo ii tar 1.16-2 GNU tar ii wwwconfig-common 0.0.48 Debian web auto configuration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
