[Full-Disclosure] [SECURITY] [DSA-335-1] New mantis packages fix insecure file permissions

debian-security-announce_at_lists.debian.org
Date: 06/29/03

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA-333-1] New acm packages fix integer overflow"
    To: full-disclosure@lists.netsys.com
    Date: Sat, 28 Jun 2003 21:47:50 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 335-1 security@debian.org
    http://www.debian.org/security/ Matt Zimmerman
    June 28th, 2003 http://www.debian.org/security/faq
    - --------------------------------------------------------------------------

    Package : mantis
    Vulnerability : incorrect permissions
    Problem-Type : local
    Debian-specific: yes

    mantis, a PHP/MySQL web based bug tracking system, stores the password
    used to access its database in a configuration file which is
    world-readable. This could allow a local attacker to read the
    password and gain read/write access to the database.

    For the stable distribution (woody) this problem has been fixed in
    version 0.17.1-3.

    For the old stable distribution (potato) does not contain a mantis
    package.

    For the unstable distribution (sid) this problem is fixed in version
    0.17.5-6.

    We recommend that you update your mantis package.

    Upgrade Instructions
    - --------------------

    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages

    Debian GNU/Linux 3.0 alias woody
    - --------------------------------

      Source archives:

        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-3.dsc
          Size/MD5 checksum: 577 51599356a83dc1b315fc7e6f21d338ff
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-3.diff.gz
          Size/MD5 checksum: 15264 4a65805f85b2e70ab61f61446ab29336
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz
          Size/MD5 checksum: 220458 d8bac093eaf31ef5812e714db5c07f82

      Architecture independent components:

        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-3_all.deb
          Size/MD5 checksum: 250314 e47ccc4eec1d97677a7fa350565ed98a

    You may use an automated update by adding the resources from the
    footer to the proper configuration.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: debian-security-announce@lists.debian.org
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD4DBQE+/kU+ArxCt0PiXR4RApOrAJibHCVTm2jrCqhXBOoV4w4XFyYqAKDgvIpW
    lQK3WrbIeQUyAdBzCTzBxA==
    =sxoA
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter:
    http://lists.netsys.com/full-disclosure-charter.html


  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA-333-1] New acm packages fix integer overflow"

    Relevant Pages