Your message dated Mon, 13 Oct 2008 09:17:50 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500707: fixed in maradns 1.3.07.09-2
has caused the Debian Bug report #500707,
regarding Does not run as the maradns user/group
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
500707: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500707
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: maradns
Version: 1.3.07.08-1
Severity: important
Tags: security
Hi,
I noticed that maradns does not properly update it's configuration to
run as the user "maradns". This results in the default configuration
remaining active, which is running as uid 65534 and gid 99. The former
should be the user "nobody" on all Debian systems AFAIK, but I think the
latter is usually not a valid user.
Running maradns with these credentials consitutes a security problem,
however, I do not think this is directly exploitable. Hence, I'm marking
this as important.
There is code in the postinst script to take care of this. The code is
supposed to change the uid/gid config directives to the uid and gid of
the "maradns" user and group, also created by the postinst script.
However, this only happens when postinst is called with the "install"
argument, which never happens according to the Policy Manual [1]. The
"install" argument is only passed to the preinst script, AFAICS.
I can reproduce this problem on two seperate systems, one running sid
and one running lenny. I hope a fixed version can still be included in
lenny.
Gr.
Matthijs
[1]: http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27-rc2-wl-35635-gf8895ad (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages maradns depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-13 GNU C Library: Shared libraries
maradns recommends no packages.
maradns suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: maradns
Source-Version: 1.3.07.09-2
We believe that the bug you reported is fixed in the latest version of
maradns, which is due to be installed in the Debian FTP archive:
maradns_1.3.07.09-2.diff.gz
to pool/main/m/maradns/maradns_1.3.07.09-2.diff.gz
maradns_1.3.07.09-2.dsc
to pool/main/m/maradns/maradns_1.3.07.09-2.dsc
maradns_1.3.07.09-2_amd64.deb
to pool/main/m/maradns/maradns_1.3.07.09-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kai Hendry <[EMAIL PROTECTED]> (supplier of updated maradns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 11 Oct 2008 22:07:58 +0100
Source: maradns
Binary: maradns
Architecture: source amd64
Version: 1.3.07.09-2
Distribution: unstable
Urgency: high
Maintainer: Kai Hendry <[EMAIL PROTECTED]>
Changed-By: Kai Hendry <[EMAIL PROTECTED]>
Description:
maradns - Simple security-focused Domain Name Service server
Closes: 500200 500707
Changes:
maradns (1.3.07.09-2) unstable; urgency=high
.
* Security fix, urgency high:
Does not run as the maradns user/group (Closes: #500707)
* reference to the wrong README.Debian in /etc/defaults/maradns
(Closes: #500200)
* Waiting 3 seconds instead of 10 for maradns to parse mararc on startup
Checksums-Sha1:
135952b7bd787200c2c09484f0a80c89966e4aed 997 maradns_1.3.07.09-2.dsc
d56aa09a2397c7830c802ace51afdf08b43d4839 24694 maradns_1.3.07.09-2.diff.gz
50656e42353f3dbd739d6166edf40ea8c516731d 556738 maradns_1.3.07.09-2_amd64.deb
Checksums-Sha256:
3bade3759776424a3f3c7b0c2e4439e8d55a7667b5e89f996e7e0bfafa41cd8d 997
maradns_1.3.07.09-2.dsc
597067049c817f3430b81c4d85a77c67414b288b27b57610c0a7e4121c490dbd 24694
maradns_1.3.07.09-2.diff.gz
e07410ed9340a588fb896fdcaf1d69f39968d07fce3834ce78c2d73cb9ee7074 556738
maradns_1.3.07.09-2_amd64.deb
Files:
77a16b0dc3d0ced2174a4ea8d7b865d9 997 net extra maradns_1.3.07.09-2.dsc
bd444c811b1cf7d96ce9bf7522d1e967 24694 net extra maradns_1.3.07.09-2.diff.gz
fa8feec356eae40d4e1e6cb29de2444c 556738 net extra maradns_1.3.07.09-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjzC6cACgkQK/juK3+WFWTMwQCfUpK5JfXvnyZYWX8hLSwHXjE2
/3cAni+7eh/DZuNBXFhte8cKD7V/IpQs
=zm77
-----END PGP SIGNATURE-----
--- End Message ---
