[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#199985: mantis security upgrade breaks user configuration

tag 199985 confirmed

A Seg, 2003-07-07 às 18:59, Noah L. Meyerhans escreveu:
> On Thu, Jul 03, 2003 at 02:26:12PM +0200, Alexander Meyer wrote:
> > i learned from the debian-security-announce mailinglist that mantis (a
> > php bugtracking system) has insecure permissions on the configfile that
> > stores the database password. so i did an 'apt-get update ;apt-get
> > upgrade' and was quite surprised, as this upgrade didn't just fix
> > permissions on this file, but overwrote it without asking. it took me a
> > while to find out what happened, and even longer, to restore the
> > settings i had in this file, because the update didn't even bother
> > backing up the original configuration.
> Yuck.  I've talked to Matt Zimmerman about this (he prepared the
> security update).  This problem is not introduced by the security
> update, but is instead part of package as prepared by the maintainer.
> They apparently don't list the configuration file as such, so dpkg will
> happily over write it.  That's definitely a bug and must be fixed by the
> Debian package maintainer.


I'm currently maintaining mantis and I confirm this behaviour, although
it's an old behaviour and it was not introduced in my latest
security-stable package.

In my stable fix I just changed it to chown the right files and I
haven't changed anything else.
Same applies to unstable version.

Please bear with me until I have time to fix this and other issues at
the same time - for example, it shouldn't break if it's not possible to
drop its table from mysql, it would be better to just warn. As the
package is now, if you stop mysql, it would be near to impossible to try
to remove/purge it again, reinstall or even upgrade without editing
local postrm file.

Anyway, thanks for noticing this problem. I'll get back soon with
updated information.

PS: I'm not subscribed to debian-users@l.d.o

> noah

Reply to: