Package: bugzilla3 Version: 3.6.2.0-4 Severity: important The default localconfig contains an empty site_wide_secret string:
# This secret key is used by your installation for the creation and # validation of encrypted tokens to prevent unsolicited changes, # such as bug changes. A random string is generated by default. # It's very important that this key is kept secret. It also must be # very long. site_wide_secret = ''; The comment seems to imply that somehow an empty value is replaced with a random string, but I'm not quite sure this is the case from looking at the Bugzilla code. It looks more like the empty string gets used as is. That would effectively disable the CSRF protection, which depends on this secret. It would be a good idea to check how Bugzilla actually handles an empty string, and if necessary either (a) adjust the comment, or (b) generate a random secret in postinst -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (990, 'stable'), (400, 'testing'), (300, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.27.21-quartic (SMP w/4 CPU cores) Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages bugzilla3 depends on: ii apache2 2.2.9-10+lenny8 Apache HTTP Server metapackage ii apache2-mpm-prefork [h 2.2.16-4 Apache HTTP Server - traditional n ii dbconfig-common 1.8.39 common framework for packaging dat ii debconf 1.5.36 Debian configuration management sy ii libappconfig-perl 1.56-2 Perl module for configuration file ii libcgi-pm-perl 3.49-1 module for Common Gateway Interfac ii libdatetime-perl 2:0.6100-2 module for manipulating dates, tim ii libdatetime-timezone-p 1:1.20-1+2010k framework exposing the Olson time ii libdbd-mysql-perl 4.007-1+lenny1 A Perl5 database interface to the ii libemail-mime-creator- 1.454-2 Simple Email::MIME mail message cr ii libemail-mime-modifier 1.442-3 Modify Email::MIME objects easily ii libemail-mime-perl 1.861-3 Easy MIME message parsing ii libemail-send-perl 2.192-3 Simply Sending Email ii libjs-yui 2.8.1-1 Yahoo User Interface Library ii libmail-sendmail-perl 0.79-5 Send email from a perl script ii libtemplate-perl 2.22-0.1 template processing system written ii libtimedate-perl 1.1600-9 Time and date functions for Perl ii mysql-client 5.0.51a-24+lenny4 MySQL database client (metapackage ii mysql-client-5.0 [mysq 5.0.51a-24+lenny4 MySQL database client binaries ii nullmailer [mail-trans 1:1.04-1.1 simple relay-only mail transport a ii patch 2.5.9-5 Apply a diff file to an original ii perl-modules [libcgi-p 5.10.1-16 Core Perl modules ii python 2.6.6-3+squeeze1 interactive high-level object-orie ii python-support 1.0.11 automated rebuilding support for P ii ucf 3.0016 Update Configuration File: preserv Versions of packages bugzilla3 recommends: ii cvs 1:1.12.13-12 Concurrent Versions System ii imagemagick 7:6.3.7.9.dfsg2-1~lenny4 image manipulation programs ii libchart-perl 2.4.1-5 Chart Library for Perl ii libtemplate-plu 2.66-2 GD plugin(s) for the Template Tool ii libxml-parser-p 2.36-1.1+b1 Perl module for parsing XML files pn mysql-server | <none> (no description available) ii perlmagick 7:6.3.7.9.dfsg2-1~lenny4 Perl interface to the libMagick gr Versions of packages bugzilla3 suggests: ii bugzilla3-doc 3.0.4.1-2+lenny2 comprehensive guide to Bugzilla ii graphviz 2.20.2-3 rich set of graph drawing tools ii libauthen-radius-perl 0.13-1 user authentication against radius ii libgd-gd2-perl 1:2.39-2 Perl module wrapper for libgd - gd ii libgd-graph-perl 1.44-3 Graph Plotting Module for Perl 5 ii libgd-text-perl 0.86-5 Text utilities for use with GD ii libhtml-parser-perl 3.56-1+lenny1 A collection of modules that parse ii libhtml-scrubber-perl 0.08-4 Perl extension for scrubbing/sanit ii libmailtools-perl 2.03-1 Manipulate email in perl programs ii libmime-tools-perl 5.427-1 Perl5 modules for MIME-compliant m ii libnet-ldap-perl 1:0.36-1 A Client interface to LDAP servers ii libsoap-lite-perl 0.710.08-1 Client and server side SOAP implem ii libwww-perl 5.813-1+lenny2 WWW client/server library for Perl ii libxml-twig-perl 1:3.32-1 Perl module for processing huge XM ii patchutils 0.2.31-4 Utilities to work with patches pn ruby <none> (no description available) -- debconf information: bugzilla3/checksetup_failed: * bugzilla3/customized_values: false bugzilla3/passwords-do-not-match: * bugzilla3/customized_values_ask_again: true bugzilla3/database-type: mysql bugzilla3/remove-error: abort * bugzilla3/shutdownhtml: <h1>Bugzilla is down for maintenance purposes. Please try again later.</h1> bugzilla3/mysql/admin-user: bugzilla bugzilla3/dbconfig-remove: * bugzilla3/dbconfig-install: true bugzilla3/upgrade-error: abort bugzilla3/internal/reconfiguring: false bugzilla3/remote/newhost: bugzilla3/internal/skip-preseed: false bugzilla3/db/app-user: bugzilla bugzilla3/dbconfig-reinstall: false bugzilla3/mysql/method: unix socket * bugzilla3/bugzilla_admin_real_name: Bugzilla Administrator bugzilla3/remote/host: * bugzilla3/install-error: ignore bugzilla3/remote/port: bugzilla3/upgrade-backup: true * bugzilla3/bugzilla_admin_name: bugzilla-ad...@example.net bugzilla3/dbconfig-upgrade: true bugzilla3/purge: false bugzilla3/db/dbname: bugzilla * bugzilla3/missing-db-package-error: ignore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org