Professional Web Applications Themes

mantis security upgrade breaks user configuration - Debian

On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote: > i learned from the debian-security-announce mailinglist that mantis (a > php bugtracking system) has insecure permissions on the configfile that > stores the database password. so i did an 'apt-get update ;apt-get > upgrade' and was quite surprised, as this upgrade didn't just fix > permissions on this file, but overwrote it without asking. it took me a > while to find out what happened, and even longer, to restore the > settings i had in this file, because the update didn't even bother > backing up the ...

  1. #1

    Default Re: mantis security upgrade breaks user configuration

    On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote:
    > i learned from the debian-security-announce mailinglist that mantis (a
    > php bugtracking system) has insecure permissions on the configfile that
    > stores the database password. so i did an 'apt-get update ;apt-get
    > upgrade' and was quite surprised, as this upgrade didn't just fix
    > permissions on this file, but overwrote it without asking. it took me a
    > while to find out what happened, and even longer, to restore the
    > settings i had in this file, because the update didn't even bother
    > backing up the original configuration.
    That's a serious bug. Please report it as such.

    --
    Colin Watson [cjwatsonflatline.org.uk]


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Colin Watson Guest

  2. #2

    Default Re: mantis security upgrade breaks user configuration

    On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote:
    > i learned from the debian-security-announce mailinglist that mantis (a
    > php bugtracking system) has insecure permissions on the configfile that
    > stores the database password. so i did an 'apt-get update ;apt-get
    > upgrade' and was quite surprised, as this upgrade didn't just fix
    > permissions on this file, but overwrote it without asking. it took me a
    > while to find out what happened, and even longer, to restore the
    > settings i had in this file, because the update didn't even bother
    > backing up the original configuration.
    Yuck. I've talked to Matt Zimmerman about this (he prepared the
    security update). This problem is not introduced by the security
    update, but is instead part of package as prepared by the maintainer.
    They apparently don't list the configuration file as such, so dpkg will
    happily over write it. That's definitely a bug and must be fixed by the
    Debian package maintainer.

    noah

    --
    __________________________________________________ _____
    | Web: [url]http://web.morgul.net/~frodo/[/url]
    | PGP Public Key: [url]http://web.morgul.net/~frodo/mail.html[/url]

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see [url]http://www.gnupg.org[/url]

    iD8DBQE/CbUeYrVLjBFATsMRAhBeAJ9n8HjeHjxjWI6a2VkLlwOZ1hae+g CdFGTE
    r5UuDMsSzjlRZtamf82ekkE=
    =xJNR
    -----END PGP SIGNATURE-----

    Noah L. Meyerhans Guest

  3. #3

    Default Re: Bug#199985: mantis security upgrade breaks user configuration

    tag 199985 confirmed
    thanks

    A Seg, 2003-07-07 ąs 18:59, Noah L. Meyerhans escreveu:
    > On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote:
    > > i learned from the debian-security-announce mailinglist that mantis (a
    > > php bugtracking system) has insecure permissions on the configfile that
    > > stores the database password. so i did an 'apt-get update ;apt-get
    > > upgrade' and was quite surprised, as this upgrade didn't just fix
    > > permissions on this file, but overwrote it without asking. it took me a
    > > while to find out what happened, and even longer, to restore the
    > > settings i had in this file, because the update didn't even bother
    > > backing up the original configuration.
    >
    > Yuck. I've talked to Matt Zimmerman about this (he prepared the
    > security update). This problem is not introduced by the security
    > update, but is instead part of package as prepared by the maintainer.
    > They apparently don't list the configuration file as such, so dpkg will
    > happily over write it. That's definitely a bug and must be fixed by the
    > Debian package maintainer.
    Hello.

    I'm currently maintaining mantis and I confirm this behaviour, although
    it's an old behaviour and it was not introduced in my latest
    security-stable package.

    In my stable fix I just changed it to chown the right files and I
    haven't changed anything else.
    Same applies to unstable version.

    Please bear with me until I have time to fix this and other issues at
    the same time - for example, it shouldn't break if it's not possible to
    drop its table from mysql, it would be better to just warn. As the
    package is now, if you stop mysql, it would be near to impossible to try
    to remove/purge it again, reinstall or even upgrade without editing
    local postrm file.


    Anyway, thanks for noticing this problem. I'll get back soon with
    updated information.


    PS: I'm not subscribed to debian-usersl.d.o
    > noah
    --
    <br/>


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Bruno Rodrigues Guest

Similar Threads

  1. JVM upgrade breaks secure cfldap connections
    By rwhaun in forum Coldfusion Server Administration
    Replies: 3
    Last Post: March 9th, 03:22 PM
  2. upgrade to mx7 breaks cfmail
    By MarcAT in forum Coldfusion Server Administration
    Replies: 2
    Last Post: July 20th, 06:41 PM
  3. Upgrade to 5.8 breaks IIS?
    By Clinton in forum PERL Beginners
    Replies: 1
    Last Post: December 3rd, 02:43 AM
  4. #25565 [Opn->Csd]: upgrade to 4.3.3 breaks email attachments
    By edink@php.net in forum PHP Development
    Replies: 0
    Last Post: September 16th, 10:03 PM
  5. [Unstable] Fetchmail upgrade to 6.2.3 breaks :(
    By Andrew M.A. Cater in forum Debian
    Replies: 0
    Last Post: August 3rd, 11:20 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139