The patch included in 3.1.0-7 doesn't actually fix the problem. Normal
users can still set the ClientNameAlias by adding something like
override_ClientNameAlias=1v_zZ_ClientNameAlias= to their POST.
Marc.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject
Included is a patch that moves the previous fix to a location before the
settings get applied.
Marc.
diff -Naur backuppc-3.1.0.ori/lib/BackupPC/CGI/EditConfig.pm backuppc-3.1.0/lib/BackupPC/CGI/EditConfig.pm
--- backuppc-3.1.0.ori/lib/BackupPC/CGI/EditConfig.pm 2009-10-05 08:04:01.0
Package: backuppc
Version: 3.1.0-4
Severity: critical
Tags: security
Justification: root security hole
When using an SSH key and Rsync with BackupPC on a system with multiple users,
Users (as opposed to admins) have the ability to change the ClientNameAlias on
machines they are listed as
3 matches
Mail list logo
