Steven Chamberlain a écrit, le 27/03/2012 01:54:
Hi,
On 26/03/12 10:05, Petter Reinholdtsen wrote:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
The fix won't work. Using quotes in gosa.conf is no good if the
%userPassword substitution could contain
[Samuel Krempp]
yes the patch to gosa.conf I had first sent has to be reversed if
GOsa is upgraded to escape userPassword (in functions.inc).
OK. Then I believe we should patch gosa instead to fix it properly
and completely, and get a fix into squeeze. For r1 we should probably
provide our
tags 665696 + security
clone 665696 -1
reassign -1 gosa
retitle -1 gosa: unescaped arguments used on a command line
found -1 gosa/2.6.11-3
found -1 gosa/2.6.11-3+squeeze1
fixed -1 gosa/2.7.3-1
tags -1 + squeeze fixed-upstream
blocks 665696 by -1
thanks
Hi!
So, the problem here was that
Processing commands for cont...@bugs.debian.org:
tags 665696 + security
Bug #665696 [debian-edu-config] gosa-sync breaks on passwords containing spaces
Added tag(s) security.
clone 665696 -1
Bug #665696 [debian-edu-config] gosa-sync breaks on passwords containing spaces
Bug 665696 cloned as bug
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
options (keeping the old or upgrading to the new file) are wrong.
The old file
Petter Reinholdtsen a écrit, le 26/03/2012 11:05:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
options (keeping the old
On Mon, Mar 26, 2012 at 11:05:41AM +0200, Petter Reinholdtsen wrote:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
Hi,
On 26/03/12 10:05, Petter Reinholdtsen wrote:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
The fix won't work. Using quotes in gosa.conf is no good if the
%userPassword substitution could contain double quotes.
As Samuel said, the correct fix is for
package: debian-edu-config
severity: important
version: squeeze/r0
spaces need adequate quoting of the password variable in both gosa-sync
and gosa.conf.
It is also very likely a security hazard in letting the user-supplied
password string unquoted in those two files, whence
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
--
Happy hacking
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of
Processing commands for cont...@bugs.debian.org:
tags 665696 + pending
Bug #665696 [debian-edu-config] gosa-sync breaks on passwords containing spaces
Added tag(s) pending.
thanks
Stopping processing here.
Please contact me if you need assistance.
--
665696:
Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the
Samuel Krempp a écrit, le 25/03/2012 11:41:
I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too.
How serious is
13 matches
Mail list logo