Your message dated Sat, 05 Apr 2008 10:02:32 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#473131: fixed in dbconfig-common 1.8.37+nmu1
has caused the Debian Bug report #473131,
regarding dbconfig-common: database backups are world-readable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
473131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473131
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: dbconfig-common
Version: 1.8.37
Severity: serious
Tags: security
When dbconfig-common detects that a database upgrade is needed, it dumps
a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup
is world-readable, which bypasses all application-specific access
control mechanisms.
-rw-r--r-- 1 root root 44032 2008-03-27 20:47
/var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql
The Etch version of the package has the same bug, but as we discussed
in private, it's currently unclear if any Etch packages are actually
using the upgrade functionality.
Note that PostgreSQL databases are unaffected by this because of #473013
(which also applies to the Etch version).
Cheers,
--
Niko Tyni [EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
Source: dbconfig-common
Source-Version: 1.8.37+nmu1
We believe that the bug you reported is fixed in the latest version of
dbconfig-common, which is due to be installed in the Debian FTP archive:
dbconfig-common_1.8.37+nmu1.dsc
to pool/main/d/dbconfig-common/dbconfig-common_1.8.37+nmu1.dsc
dbconfig-common_1.8.37+nmu1.tar.gz
to pool/main/d/dbconfig-common/dbconfig-common_1.8.37+nmu1.tar.gz
dbconfig-common_1.8.37+nmu1_all.deb
to pool/main/d/dbconfig-common/dbconfig-common_1.8.37+nmu1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gran <[EMAIL PROTECTED]> (supplier of updated dbconfig-common package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 05 Apr 2008 10:54:47 +0100
Source: dbconfig-common
Binary: dbconfig-common
Architecture: source all
Version: 1.8.37+nmu1
Distribution: unstable
Urgency: low
Maintainer: sean finney <[EMAIL PROTECTED]>
Changed-By: Stephen Gran <[EMAIL PROTECTED]>
Description:
dbconfig-common - common framework for packaging database applications
Closes: 473131
Changes:
dbconfig-common (1.8.37+nmu1) unstable; urgency=low
.
* Non-maintainer upload.
* Make database dumps non world readable (closes: #473131)
Files:
c2032fa73fd546bcb9354e273f460b29 673 admin optional
dbconfig-common_1.8.37+nmu1.dsc
a30e853fdce319edca26c5b8ad2cee3f 317878 admin optional
dbconfig-common_1.8.37+nmu1.tar.gz
f02cb47932596fd5c20f6525f20c0fbc 475502 admin optional
dbconfig-common_1.8.37+nmu1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH90zfSYIMHOpZA44RAmmGAKCYV91E1RYk2bWuvOTGyTOVV+iGlgCgpDLJ
BV7bWw98uDA+4sQtnBho1Y0=
=8Qz4
-----END PGP SIGNATURE-----
--- End Message ---
