Your message dated Mon, 15 Jul 2013 12:32:57 +0200 with message-id <201307151233.00544.holger@layer-acht.org> and subject line done has caused the Debian Bug report #665696, regarding gosa-sync breaks on passwords containing spaces to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 665696: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665696 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gosa-sync breaks on passwords containing spaces
- From: Samuel Krempp <samuel.krempp@gmail.com>
- Date: Sun, 25 Mar 2012 10:07:06 +0200
- Message-id: <4F6ED22A.7060109@gmail.com>
- Reply-to: Samuel.Krempp@gmail.com
package: debian-edu-config severity: important version: squeeze/r0spaces need adequate quoting of the password variable in both gosa-sync and gosa.conf.It is also very likely a security hazard in letting the user-supplied password string unquoted in those two files, whence severity=important.following patch just adds the quoting, and was verified to fix the issue. -- Samuel Krempp--- /etc/gosa/gosa.conf.befSK 2012-03-25 09:45:33.000000000 +0200 +++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.000000000 +0200 @@ -44,7 +44,7 @@ <plugin acl="users/phoneAccount:self" class="phoneAccount"/> <plugin acl="users/nagiosAccount:self" class="nagiosAccount"/> <plugin acl="users/scalixAccount:self" class="scalixAccount"/> - <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/> + <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD="%userPassword" /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/> </section> <!-- Section to enable administrative services --> --- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.000000000 +0200 +++ /usr/share/debian-edu-config/tools/gosa-sync 2012-03-25 09:56:04.000000000 +0200 @@ -15,7 +15,6 @@ ## principal's one. RETVAL=0 - USERDN=$1 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"` @@ -30,7 +29,7 @@ IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true` if [ "$IAM" = "dn:$USERDN" ] ; then cat > $TMPFILE <<EOF -change_password -pw $USERPASSWORD $USERID +change_password -pw "$USERPASSWORD" $USERID EOF cat $TMPFILE | kadmin.local 2>&1 | logger -t gosa-sync -p notice logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.
--- End Message ---
--- Begin Message ---
- To: 665696-done@bugs.debian.org
- Subject: done
- From: Holger Levsen <holger@layer-acht.org>
- Date: Mon, 15 Jul 2013 12:32:57 +0200
- Message-id: <201307151233.00544.holger@layer-acht.org>
version: 1.454 done since a long time...Attachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---