Re: Please remove otrs2/2.2.7-2lenny1

To: debian-release@lists.debian.org
Subject: Re: Please remove otrs2/2.2.7-2lenny1
From: "Torsten Werner" <mail.twerner@googlemail.com>
Date: Wed, 29 Oct 2008 19:52:06 +0100
Message-id: <a90bfcf0810291152y1168e4bex466148f23c56a470@mail.gmail.com>
In-reply-to: <20081029112017.GA2153@wavehammer.waldi.eu.org>
References: <20081029112017.GA2153@wavehammer.waldi.eu.org>

Hi,

On Wed, Oct 29, 2008 at 12:20 PM, Bastian Blank <waldi@debian.org> wrote:
> It includes severe FHS violations and produces security problems with
> this, see #475737 for reference.

I agree that it is a FHS violation that will be fixed in unstable and
that we have lived with the problem in sarge and etch but I do not
agree that it is a security problem. That is why I ask for an
exception for lenny.  Let me quote from the bug report:

"... every web application has read access to /etc/otrs/database.pm
which means it can create havoc in the database, install stored
procedures and so on. Every other webapp with a database has the same
problem - not only otrs. It is the duty of the local admin to make
sure that the installation is safe. I do not understand what is so
special about otrs..."

"It is not hard to modify foreign databases when it comes to webapps
that are executed by the same httpd user and BTW stored procedures are
executed in the context of the postgres user."

I am sorry that the FHS issue cannot be fixed easily but the bug
report came very late before the freeze.

Cheers,
Torsten

-- 
http://twerner.blogspot.com

Reply to:

References:
- Please remove otrs2/2.2.7-2lenny1
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: libgettext-ruby1.8: Breaks with Rails 2.1
Next by Date: please accept r-base from testing-proposed-updates
Previous by thread: Please remove otrs2/2.2.7-2lenny1
Next by thread: Please allow linux-image-2.6-1-openvz-686-2.6.26-9 in testing
Index(es):
- Date
- Thread