On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote: > i learned from the debian-security-announce mailinglist that mantis (a > php bugtracking system) has insecure permissions on the configfile that > stores the database password. so i did an 'apt-get update ;apt-get > upgrade' and was quite surprised, as this upgrade didn't just fix > permissions on this file, but overwrote it without asking. it took me a > while to find out what happened, and even longer, to restore the > settings i had in this file, because the update didn't even bother > backing up the original configuration.
Yuck. I've talked to Matt Zimmerman about this (he prepared the security update). This problem is not introduced by the security update, but is instead part of package as prepared by the maintainer. They apparently don't list the configuration file as such, so dpkg will happily over write it. That's definitely a bug and must be fixed by the Debian package maintainer. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgp00000.pgp
Description: PGP signature
