Debian Bug report logs - #348306
/etc/knowledgetree/environment.php (which contains passwords) world-readable

version graph

Package: knowledgetree; Maintainer for knowledgetree is (unknown);

Reported by: David B Harris <dbharris@debian.org>

Date: Mon, 16 Jan 2006 08:18:24 UTC

Severity: critical

Found in version knowledgetree/2.0.7-1

Fixed in version knowledgetree/2.0.7-2

Done: Jose Carlos Medeiros <debian@psabs.com.br>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Jose Carlos Medeiros <debian@psabs.com.br>:
Bug#348306; Package knowledgetree. (full text, mbox, link).

Acknowledgement sent to David B Harris <dbharris@debian.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Jose Carlos Medeiros <debian@psabs.com.br>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David B Harris <dbharris@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /etc/knowledgetree/environment.php (which contains passwords) world-readable
Date: Mon, 16 Jan 2006 03:07:19 -0500
Package: knowledgetree
Version: 2.0.7-1
Severity: critical

Hey,

/etc/knowledgetree/environment.php is world-readable by default. It is
supposed to contain (amongst other things) the username and password for
the KnowledgeTree database.

Cc:'d to security@debian.org just in case they care (the package is only
in Sid, but maybe some other "related" packages are worth auditing).

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.4-execshield-a8-linuxjail-1-2-oftc-1
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages knowledgetree depends on:
ii  apache2-mpm-prefork [apache2] 2.0.55-2   traditional model for Apache2
ii  libphp-phpmailer              1.73-1     full featured email transfer class
ii  libphp-phpsniff               2.1.3-1    a HTTP_USER_AGENT Client Sniffer f
ii  php4                          4:4.4.0-4  server-side, HTML-embedded scripti
ii  php4-mysql                    4:4.4.0-4  MySQL module for php4
ii  php4-pear                     4:4.4.0-4  PHP Extension and Application Repo
ii  php4-pear-log                 1.6.0-1.1  Log module for PEAR

-- no debconf information

Tags added: pending Request was from Jose Carlos Medeiros <jcnascimento@gmail.com> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Jose Carlos Medeiros <debian@psabs.com.br>:
You have taken responsibility. (full text, mbox, link).

Notification sent to David B Harris <dbharris@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #12 received at 348306-close@bugs.debian.org (full text, mbox, reply):

From: Jose Carlos Medeiros <debian@psabs.com.br>
To: 348306-close@bugs.debian.org
Subject: Bug#348306: fixed in knowledgetree 2.0.7-2
Date: Sun, 22 Jan 2006 11:17:09 -0800
Source: knowledgetree
Source-Version: 2.0.7-2

We believe that the bug you reported is fixed in the latest version of
knowledgetree, which is due to be installed in the Debian FTP archive:

knowledgetree_2.0.7-2.diff.gz
  to pool/main/k/knowledgetree/knowledgetree_2.0.7-2.diff.gz
knowledgetree_2.0.7-2.dsc
  to pool/main/k/knowledgetree/knowledgetree_2.0.7-2.dsc
knowledgetree_2.0.7-2_all.deb
  to pool/main/k/knowledgetree/knowledgetree_2.0.7-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 348306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jose Carlos Medeiros <debian@psabs.com.br> (supplier of updated knowledgetree package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 20 Jan 2006 11:02:18 -0200
Source: knowledgetree
Binary: knowledgetree
Architecture: source all
Version: 2.0.7-2
Distribution: unstable
Urgency: low
Maintainer: Jose Carlos Medeiros <debian@psabs.com.br>
Changed-By: Jose Carlos Medeiros <debian@psabs.com.br>
Description: 
 knowledgetree - web-based Knowledge Management
Closes: 348306
Changes: 
 knowledgetree (2.0.7-2) unstable; urgency=low
 .
   * Changed permissions of world-readable /etc/knowledgretree files.
     (Closes: #348306)
   * Improved call to dpkg-statoverride in debian/postinst.
   * Updated to Standards-Version 3.6.2.
   * Updated address of Free Software Foundation (FSF) in debian/copyright file.
Files: 
 5286f03391df19002173071307dca67e 702 web optional knowledgetree_2.0.7-2.dsc
 c6d6f38fd8e305a7ac0760f0734277e4 5072 web optional knowledgetree_2.0.7-2.diff.gz
 c3ff74ad3d50ff3e9cd5ef9e128b7359 686950 web optional knowledgetree_2.0.7-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD09XyGKGxzw/lPdkRAib1AJ9sC0jvcS7wR3pVbkDSfTelZgVciACfei2Y
O8Kz+FGiYeQi0nGm4gKwSyc=
=XYhA
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 11:29:46 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Mar 11 16:25:12 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.