Processed: Re: [Pkg-nagios-devel] Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts
Processing commands for cont...@bugs.debian.org: > severity 683320 normal Bug #683320 [src:icinga] CVE-2012-3441: insecure permissions in DB creation scripts Severity set to 'normal' from 'grave' > thanks Stopping processing here. Please contact me if you need assistance. -- 683320: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683320 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#683320: [Pkg-nagios-devel] Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts
severity 683320 normal thanks On Mon, Jul 30, 2012 at 09:09:50PM +0200, Alexander Wirt wrote: > On Mon, 30 Jul 2012, Yves-Alexis Perez wrote: > > > Source: icinga > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Hi, > > > > DB creation scripts shipped in icinga-idoutils are insecure (they grant > > privileges for all users). See > > https://bugzilla.novell.com/show_bug.cgi?id=767319 and: > > > > https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab > > https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63 > > > > As far as I can tell the bug in stable is only in documentation, but in > > Wheezy it affects the scripts too. Please backport the changes and only > > upload a targeted fix. > hmm? we use dbconfig-common. We don't use this script, we also don't install > README.RHEL.idoutils anywhere. So this is docs only. Not a RC bug. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#683320: [Pkg-nagios-devel] Bug#683320: Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts
On 30.07.2012 21:09, Alexander Wirt wrote: On Mon, 30 Jul 2012, Yves-Alexis Perez wrote: Source: icinga Severity: grave Tags: security Justification: user security hole Hi, DB creation scripts shipped in icinga-idoutils are insecure (they grant privileges for all users). See https://bugzilla.novell.com/show_bug.cgi?id=767319 and: https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63 As far as I can tell the bug in stable is only in documentation, but in Wheezy it affects the scripts too. Please backport the changes and only upload a targeted fix. hmm? we use dbconfig-common. We don't use this script, we also don't install README.RHEL.idoutils anywhere. So this is docs only. docs was fixed in 1.7.1, since this was released on 18.6.2012 see icinga-core.git branch r1.7, cd docbook, git pull && git log commit 619a08ca1178144b8a3a5caafff32a2d3918edab Author: Wolfgang Date: Fri Jun 15 19:08:55 2012 +0200 docs issue #2690: limit grant to icinga db so it's a bug in a script which is shipped example wise upstream. SuSe packages are the only known pkg source using those scripts, even the repoforge rpms do not use those scripts (therefore the README.RHEL.idoutils fix by me). so this might still be an issue, but only for those manually invoking such scripts from the examples. kind regards, Michael -- DI (FH) Michael Friedrich Vienna University Computer Center Universitaetsstrasse 7 A-1010 Vienna, Austria email: michael.friedr...@univie.ac.at phone: +43 1 4277 14359 mobile:+43 664 60277 14359 fax: +43 1 4277 14338 web: http://www.univie.ac.at/zid http://www.aco.net Lead Icinga Core Developer http://www.icinga.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#683320: [Pkg-nagios-devel] Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts
On Mon, 30 Jul 2012, Yves-Alexis Perez wrote: > Source: icinga > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > DB creation scripts shipped in icinga-idoutils are insecure (they grant > privileges for all users). See > https://bugzilla.novell.com/show_bug.cgi?id=767319 and: > > https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab > https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63 > > As far as I can tell the bug in stable is only in documentation, but in > Wheezy it affects the scripts too. Please backport the changes and only > upload a targeted fix. hmm? we use dbconfig-common. We don't use this script, we also don't install README.RHEL.idoutils anywhere. So this is docs only. Alex -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts
Source: icinga Severity: grave Tags: security Justification: user security hole Hi, DB creation scripts shipped in icinga-idoutils are insecure (they grant privileges for all users). See https://bugzilla.novell.com/show_bug.cgi?id=767319 and: https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63 As far as I can tell the bug in stable is only in documentation, but in Wheezy it affects the scripts too. Please backport the changes and only upload a targeted fix. Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org