Package: dbconfig-common Version: 1.8.37 Severity: serious Tags: security When dbconfig-common detects that a database upgrade is needed, it dumps a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup is world-readable, which bypasses all application-specific access control mechanisms.
-rw-r--r-- 1 root root 44032 2008-03-27 20:47 /var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql The Etch version of the package has the same bug, but as we discussed in private, it's currently unclear if any Etch packages are actually using the upgrade functionality. Note that PostgreSQL databases are unaffected by this because of #473013 (which also applies to the Etch version). Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
