Package: mantis Version: 1.0.6+dfsg-4.1 Severity: grave After an upgrade of Mantis, the config file /etc/mantis/config_db.php is world-wide readable and contains the clear password of my SQL database!!!
Please urgently fix this as it creates a very big security hole. The previous versions of Mantis was smarter: -rw-r----- 1 root www-data 1887 2007-05-18 11:27 config.php ^^^ ^^^^^^^^ I've 'chgrp www-data' and 'chmod 640' the new file /etc/mantis/config_db.php and it's working. Thanks. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.20-1-vserver-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mantis depends on: ii apache 1.3.34-4.1 versatile, high-performance HTTP s ii apache2 2.2.3-4 Next generation, scalable, extenda ii apache2-mpm-prefork [apache 2.2.3-4+b1 Traditional model for Apache HTTPD ii dbconfig-common 1.8.33 common framework for packaging dat ii debconf 1.5.13 Debian configuration management sy ii libapache2-mod-php5 5.2.2-1+b1 server-side, HTML-embedded scripti ii libphp-adodb 4.94-1 The 'adodb' database abstraction l ii libphp-phpmailer 1.73-3 full featured email transfer class ii php4-cli 6:4.4.6-2+b1 command-line interpreter for the p ii php4-mysql 6:4.4.6-2+b1 MySQL module for php4 ii php5-cli 5.2.2-1+b1 command-line interpreter for the p ii php5-mysql 5.2.2-1+b1 MySQL module for php5 mantis recommends no packages. -- debconf information: mantis/dbconfig-reinstall: false * mantis/dbconfig-install: true * mantis/remote/newhost: localhost mantis/title: Mantis * mantis/url: http://localhost/mantis/ mantis/upgrade-backup: true mantis/internal/skip-preseed: false mantis/install-error: abort mantis/internal/reconfiguring: false mantis/dbconfig-remove: * mantis/bounce: [EMAIL PROTECTED] * mantis/db_autoupdate: true * mantis/ldap: false mantis/ldap_server: localhost mantis/version: mantis/from: [EMAIL PROTECTED] mantis/show_version: true mantis/root_mysql: root mantis/passwords-do-not-match: mantis/signup: true * mantis/admin: [EMAIL PROTECTED] * mantis/mysql/admin-user: root * mantis/remote/port: * mantis/username: mantis mantis/purge: false * mantis/webmaster: [EMAIL PROTECTED] * mantis/dbconfig-upgrade: false mantis/remove-error: abort * mantis/remote/host: localhost * mantis/purge_db: true * mantis/db/app-user: mantis * mantis/mysql/method: tcp/ip mantis/dn: dn= mantis/mysql_port: 3306 * mantis/webserver: apache * mantis/db/dbname: bugtracker * mantis/database-type: mysql mantis/upgrade-error: abort * mantis/app_configure: true mantis/language: english * mantis/mysql_server: localhost * mantis/database: bugtracker mantis/organisation: -- ,''`. : :' : Cyril Bouthors `. `' Debian.org `-
pgpIkWrPgwqVU.pgp
Description: PGP signature