Source: phabricator Version: 0~git20141101-1 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, The local configuration created by the phabricator package under /usr/share/phabricator/conf/local is globally readable and contains sensitive information like phabricator's database credentials. Access to it should be restricted to only the necessary users (www-data and phabricator in our case). See also #775478 regarding the configuration location. Regards, Apollon -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
