On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote:Yuck. I've talked to Matt Zimmerman about this (he prepared the> i learned from the debian-security-announce mailinglist that mantis (a
> php bugtracking system) has insecure permissions on the configfile that
> stores the database password. so i did an 'apt-get update ;apt-get
> upgrade' and was quite surprised, as this upgrade didn't just fix
> permissions on this file, but overwrote it without asking. it took me a
> while to find out what happened, and even longer, to restore the
> settings i had in this file, because the update didn't even bother
> backing up the original configuration.
security update). This problem is not introduced by the security
update, but is instead part of package as prepared by the maintainer.
They apparently don't list the configuration file as such, so dpkg will
happily over write it. That's definitely a bug and must be fixed by the
Debian package maintainer.
| Web: [url]http://web.morgul.net/~frodo/[/url]
| PGP Public Key: [url]http://web.morgul.net/~frodo/mail.html[/url]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see [url]http://www.gnupg.org[/url]
-----END PGP SIGNATURE-----