[SECURITY] [DSA-335-1] New mantis packages fix insecure file permissions

From: Matt Zimmerman (mdz_at_debian.org)
Date: 06/29/03

  • Next message: Matt Zimmerman: "[SECURITY] [DSA-334-1] New xgalaga packages fix buffer overflow"
    Date: Sat, 28 Jun 2003 21:47:50 -0400
    To: bugtraq@securityfocus.com

    Hash: SHA1

    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 335-1 security@debian.org
    http://www.debian.org/security/ Matt Zimmerman
    June 28th, 2003 http://www.debian.org/security/faq
    - --------------------------------------------------------------------------

    Package : mantis
    Vulnerability : incorrect permissions
    Problem-Type : local
    Debian-specific: yes

    mantis, a PHP/MySQL web based bug tracking system, stores the password
    used to access its database in a configuration file which is
    world-readable. This could allow a local attacker to read the
    password and gain read/write access to the database.

    For the stable distribution (woody) this problem has been fixed in
    version 0.17.1-3.

    For the old stable distribution (potato) does not contain a mantis

    For the unstable distribution (sid) this problem is fixed in version

    We recommend that you update your mantis package.

    Upgrade Instructions
    - --------------------

    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages

    Debian GNU/Linux 3.0 alias woody
    - --------------------------------

      Source archives:

          Size/MD5 checksum: 577 51599356a83dc1b315fc7e6f21d338ff
          Size/MD5 checksum: 15264 4a65805f85b2e70ab61f61446ab29336
          Size/MD5 checksum: 220458 d8bac093eaf31ef5812e714db5c07f82

      Architecture independent components:

          Size/MD5 checksum: 250314 e47ccc4eec1d97677a7fa350565ed98a

    You may use an automated update by adding the resources from the
    footer to the proper configuration.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: debian-security-announce@lists.debian.org
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/>
    Version: GnuPG v1.2.2 (GNU/Linux)

    -----END PGP SIGNATURE-----

  • Next message: Matt Zimmerman: "[SECURITY] [DSA-334-1] New xgalaga packages fix buffer overflow"