Package: ucf Version: 3.0038+nmu1 Severity: serious Hi,
It seems that ucf, unlike dpkg, is changing the file permissions when rewriting the configuration file. It also seems that there is a difference in behavour between the "use maintainer file" option and the 3-ways merge. The former preserve the permissions of the new file, the later is not. That can be a security issue I believe, thus the severity Kind regards, Laurent Bigonville -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ucf depends on: ii coreutils 8.30-3+b1 ii debconf 1.5.73 ii sensible-utils 0.0.12 ucf recommends no packages. ucf suggests no packages. -- debconf information excluded
