Processed: Re: Bug#473131: dbconfig-common: database backups are world-readable
Processing commands for [EMAIL PROTECTED]: tag 473131 etch Bug#473131: dbconfig-common: database backups are world-readable Tags were: patch security Tags added: etch thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473131: dbconfig-common: database backups are world-readable
tag 473131 etch thanks On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote: Package: dbconfig-common Version: 1.8.37 Severity: serious Tags: security When dbconfig-common detects that a database upgrade is needed, it dumps a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup is world-readable, which bypasses all application-specific access control mechanisms. -rw-r--r-- 1 root root 44032 2008-03-27 20:47 /var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql The Etch version of the package has the same bug, but as we discussed in private, it's currently unclear if any Etch packages are actually using the upgrade functionality. Note that PostgreSQL databases are unaffected by this because of #473013 (which also applies to the Etch version). This is now fixed in sid with 1.8.37+nmu1, but I think it also needs a security update for Etch. Otherwise upgrades (especially partial ones) from Etch to Lenny will hit the bug, as there is no guarantee that dbconfig-common gets upgraded before the application unless its dependency is versioned. The command % apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade' shows 16 packages using the upgrade functionality in current unstable. Cc'ing the security team. Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473131: dbconfig-common: database backups are world-readable
* Niko Tyni: This is now fixed in sid with 1.8.37+nmu1, but I think it also needs a security update for Etch. Otherwise upgrades (especially partial ones) from Etch to Lenny will hit the bug, as there is no guarantee that dbconfig-common gets upgraded before the application unless its dependency is versioned. The command % apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade' shows 16 packages using the upgrade functionality in current unstable. If the no packages in etch use this functionality, please upload a fix package to stable-proposed-updates. This way, the fix will be included in time. Security team, could we still get a CVE for this issue, please? It's Debian-specific, I believe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473131: dbconfig-common: database backups are world-readable
On Tue, Apr 08, 2008 at 10:07:37PM +0200, Florian Weimer wrote: * Niko Tyni: This is now fixed in sid with 1.8.37+nmu1, but I think it also needs a security update for Etch. Otherwise upgrades (especially partial ones) from Etch to Lenny will hit the bug, as there is no guarantee that dbconfig-common gets upgraded before the application unless its dependency is versioned. The command % apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade' shows 16 packages using the upgrade functionality in current unstable. If the no packages in etch use this functionality, please upload a fix package to stable-proposed-updates. This way, the fix will be included in time. Sorry, as I noted earlier in this bug, the Etch packages that have upgrade files installed are bacula-director-mysql bacula-director-pgsql jffnms phpwiki postfix-policyd I haven't looked into the circumstances where the upgrades are activated. Security team, could we still get a CVE for this issue, please? It's Debian-specific, I believe. Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473131: dbconfig-common: database backups are world-readable
On Tue, Apr 8, 2008 at 10:53 PM, Niko Tyni [EMAIL PROTECTED] wrote: phpwiki phpwiki is not affected by this as the package installs the database with permissions 664 root:www-data There is nothing sensitive in the database, just wiki pages that are available via the http server. The admin password is kept in the config.ini file in /etc. -- Matt Brown [EMAIL PROTECTED] Mob +353 86 608 7117 www.mattb.net.nz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473131: dbconfig-common: database backups are world-readable
hiya, On Wednesday 09 April 2008 01:11:26 am Matt Brown wrote: On Tue, Apr 8, 2008 at 10:53 PM, Niko Tyni [EMAIL PROTECTED] wrote: phpwiki phpwiki is not affected by this as the package installs the database with permissions 664 root:www-data however, i suspect that the data used by bacula's packages is sufficiently sensitive to warrant action. we could do any of the following: - issue a security upload with the diff from the NMU - issue an update via etch-proposed-updates - ensure the affected packages in unstable depend on dbc = this nmu and that they migrate successfully to lenny and it seems of these the security upload is both the simplest solution as well as most sensible one. i don't know that a CVE is really necessary though, since this is a very minor issue that does not currently affect anyone (if you don't count partial upgrades to stuff from backports), and only has the *potential* to do so if it's not resolved before lenny is released. then again, i've seen CVE's assigned for even less worthy things that ended up as non-issues (i.e. half of the php-related CVE's in the past year), so i'll defer to the security folks on that. sean signature.asc Description: This is a digitally signed message part.
Bug#473131: dbconfig-common: database backups are world-readable
On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote: The Etch version of the package has the same bug, but as we discussed in private, it's currently unclear if any Etch packages are actually using the upgrade functionality. This is actually trivial to find out: etch% apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade' bacula-director-mysql bacula-director-pgsql jffnms phpwiki postfix-policyd Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473131: dbconfig-common: database backups are world-readable
Package: dbconfig-common Version: 1.8.37 Severity: serious Tags: security When dbconfig-common detects that a database upgrade is needed, it dumps a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup is world-readable, which bypasses all application-specific access control mechanisms. -rw-r--r-- 1 root root 44032 2008-03-27 20:47 /var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql The Etch version of the package has the same bug, but as we discussed in private, it's currently unclear if any Etch packages are actually using the upgrade functionality. Note that PostgreSQL databases are unaffected by this because of #473013 (which also applies to the Etch version). Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
