Debian Bug report logs - #448873
iscsitarget: ietd.conf public readable and contains passwords

version graph

Package: iscsitarget; Maintainer for iscsitarget is Debian iSCSI Maintainers <pkg-iscsi-maintainers@lists.alioth.debian.org>; Source for iscsitarget is src:iscsitarget.

Reported by: Martin Zobel-Helas <zobel@debian.org>

Date: Thu, 1 Nov 2007 15:27:01 UTC

Severity: serious

Tags: security

Found in version iscsitarget/0.4.15-4

Fixed in versions iscsitarget/0.4.15-5, iscsitarget/0.4.15-4+lenny1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Security Team <team@security.debian.org>, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@debian.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Debian Security Team <team@security.debian.org>, Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: iscsitarget: ietd.conf public readable and contains passwords
Date: Fri, 02 Nov 2007 18:25:39 +0100
Package: iscsitarget
Version: 0.4.15-4
Severity: serious
Tags: security
Justification: Policy 10.9

Hi,

/etc/ietd.conf will on most usual cases contain passwords, but is 644
per default after the installations. That needs to be fixed.

Greetings
Martin

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)




Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #10 received at 448873@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Martin Zobel-Helas <zobel@debian.org>, 448873@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#448873: iscsitarget: ietd.conf public readable and contains passwords
Date: Fri, 2 Nov 2007 15:58:00 +1100
[Message part 1 (text/plain, inline)]
Hi Martin

Thanks for notifying us.
> /etc/ietd.conf will on most usual cases contain passwords, but is 644
> per default after the installations. That needs to be fixed.
Well initially setting it to 640 wouldn't hurt much.
Looking at the init script, it seems that there is the "dump" function, which 
sets the permissions to 600.
Not quite sure, if users use this option to set up their configuration though, 
maybe you could tell me :)

However, here is the NMU proposal. Surprisingly other distros like SUSE also 
use 644 in their package :/

Cheers
Steffen


[nmu.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Frederik Schueler <fs@ha-systeme.de>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #15 received at 448873@bugs.debian.org (full text, mbox):

From: Frederik Schueler <fs@ha-systeme.de>
To: 448873@bugs.debian.org
Subject: re: iscsitarget: ietd.conf public readable and contains passwords
Date: Fri, 2 Nov 2007 12:29:03 +0100
Hello,

may we at least get the chance to look into this before you already
start preparing an NMU, please?


Regards
Frederik Schüler

-- 
ENOSIG




Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #20 received at 448873@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Frederik Schueler <fs@ha-systeme.de>, 448873@bugs.debian.org
Subject: Re: Bug#448873: iscsitarget: ietd.conf public readable and contains passwords
Date: Fri, 2 Nov 2007 14:46:06 +0100
[Message part 1 (text/plain, inline)]
Hi Frederik,
* Frederik Schueler <fs@ha-systeme.de> [2007-11-02 12:35]:
> may we at least get the chance to look into this before you already
> start preparing an NMU, please?

What is the problem with posting a patch for an NMU? It's 
not yet uploaded so the worst thing it can do is help you :)
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Frederik Schüler <fs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Zobel-Helas <zobel@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 448873-close@bugs.debian.org (full text, mbox):

From: Frederik Schüler <fs@debian.org>
To: 448873-close@bugs.debian.org
Subject: Bug#448873: fixed in iscsitarget 0.4.15-5
Date: Sun, 04 Nov 2007 18:17:02 +0000
Source: iscsitarget
Source-Version: 0.4.15-5

We believe that the bug you reported is fixed in the latest version of
iscsitarget, which is due to be installed in the Debian FTP archive:

iscsitarget-source_0.4.15-5_all.deb
  to pool/main/i/iscsitarget/iscsitarget-source_0.4.15-5_all.deb
iscsitarget_0.4.15-5.diff.gz
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-5.diff.gz
iscsitarget_0.4.15-5.dsc
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-5.dsc
iscsitarget_0.4.15-5_amd64.deb
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frederik Schüler <fs@debian.org> (supplier of updated iscsitarget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 04 Nov 2007 18:54:41 +0100
Source: iscsitarget
Binary: iscsitarget iscsitarget-source
Architecture: source amd64 all
Version: 0.4.15-5
Distribution: unstable
Urgency: high
Maintainer: Philipp Hug <debian@hug.cx>
Changed-By: Frederik Schüler <fs@debian.org>
Description: 
 iscsitarget - iSCSI Enterprise Target userland tools
 iscsitarget-source - iSCSI Enterprise Target kernel module source
Closes: 448195 448873
Changes: 
 iscsitarget (0.4.15-5) unstable; urgency=high
 .
   * Urgenc: high due to security update.
   * Fix /etc/ietd.conf permissions. (Closes: #448873)
   * Fix module-assistant build. Thanks to Franklin PIAT <fpiat@bigfoot.com>
     for the patch. (Closes: #448195)
Files: 
 21007871c250d4fe201f1986b53b9352 658 net optional iscsitarget_0.4.15-5.dsc
 e2fce38f875de7c5f3fe961885fafcfb 5212 net optional iscsitarget_0.4.15-5.diff.gz
 14eb8366d25ca91f7f81a2726e6e22d6 58600 net optional iscsitarget_0.4.15-5_amd64.deb
 f87e3ccdd1fdf66c5e0e1b7210bb3773 39938 net optional iscsitarget-source_0.4.15-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHLgvn6n7So0GVSSARArHrAJ9jeOKyepenHrpYwrne0KGr9cNLZwCfbu4d
Cjlxv+EpLOnMP257pQSf4m8=
=zwQN
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #30 received at 448873@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 448873@bugs.debian.org
Subject: Re: iscsitarget: ietd.conf public readable and contains passwords
Date: Fri, 9 Nov 2007 23:59:37 +0100
On Fri, Nov 02, 2007 at 06:25:39PM +0100, Martin Zobel-Helas wrote:
> Package: iscsitarget
> Version: 0.4.15-4
> Severity: serious
> Tags: security
> Justification: Policy 10.9
> 
> /etc/ietd.conf will on most usual cases contain passwords, but is 644
> per default after the installations. That needs to be fixed.

This doesn't warrant a DSA, but could be fixed in a point update.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #35 received at 448873@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448873@bugs.debian.org
Cc: debian@hug.cx
Subject: Re: Bug#448873: iscsitarget: ietd.conf public readable and contains passwords
Date: Fri, 16 Nov 2007 10:34:47 +0100
[Message part 1 (text/plain, inline)]
Hi Philipp,
your upload somehow didn't hit the archive. Can you please 
reupload it?
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#448873; Package iscsitarget. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. Full text and rfc822 format available.

Message #40 received at 448873@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 448873@bugs.debian.org
Subject: upload lost
Date: Mon, 19 Nov 2007 15:57:36 +1100
[Message part 1 (text/plain, inline)]
Hi

This upload got lost in ftp-master's crash.
Can you please reupload?

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Reply sent to Frederik Schüler <fs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Zobel-Helas <zobel@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 448873-close@bugs.debian.org (full text, mbox):

From: Frederik Schüler <fs@debian.org>
To: 448873-close@bugs.debian.org
Subject: Bug#448873: fixed in iscsitarget 0.4.15-5
Date: Thu, 22 Nov 2007 20:32:06 +0000
Source: iscsitarget
Source-Version: 0.4.15-5

We believe that the bug you reported is fixed in the latest version of
iscsitarget, which is due to be installed in the Debian FTP archive:

iscsitarget-source_0.4.15-5_all.deb
  to pool/main/i/iscsitarget/iscsitarget-source_0.4.15-5_all.deb
iscsitarget_0.4.15-5.diff.gz
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-5.diff.gz
iscsitarget_0.4.15-5.dsc
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-5.dsc
iscsitarget_0.4.15-5_amd64.deb
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frederik Schüler <fs@debian.org> (supplier of updated iscsitarget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 04 Nov 2007 18:54:41 +0100
Source: iscsitarget
Binary: iscsitarget iscsitarget-source
Architecture: source amd64 all
Version: 0.4.15-5
Distribution: unstable
Urgency: high
Maintainer: Philipp Hug <debian@hug.cx>
Changed-By: Frederik Schüler <fs@debian.org>
Description: 
 iscsitarget - iSCSI Enterprise Target userland tools
 iscsitarget-source - iSCSI Enterprise Target kernel module source
Closes: 448195 448873
Changes: 
 iscsitarget (0.4.15-5) unstable; urgency=high
 .
   * Urgenc: high due to security update.
   * Fix /etc/ietd.conf permissions. (Closes: #448873)
   * Fix module-assistant build. Thanks to Franklin PIAT <fpiat@bigfoot.com>
     for the patch. (Closes: #448195)
Files: 
 21007871c250d4fe201f1986b53b9352 658 net optional iscsitarget_0.4.15-5.dsc
 e2fce38f875de7c5f3fe961885fafcfb 5212 net optional iscsitarget_0.4.15-5.diff.gz
 14eb8366d25ca91f7f81a2726e6e22d6 58600 net optional iscsitarget_0.4.15-5_amd64.deb
 f87e3ccdd1fdf66c5e0e1b7210bb3773 39938 net optional iscsitarget-source_0.4.15-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHLgvn6n7So0GVSSARArHrAJ9jeOKyepenHrpYwrne0KGr9cNLZwCfbu4d
Cjlxv+EpLOnMP257pQSf4m8=
=zwQN
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Zobel-Helas <zobel@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 448873-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448873-close@bugs.debian.org
Subject: Bug#448873: fixed in iscsitarget 0.4.15-4+lenny1
Date: Sat, 29 Dec 2007 12:47:03 +0000
Source: iscsitarget
Source-Version: 0.4.15-4+lenny1

We believe that the bug you reported is fixed in the latest version of
iscsitarget, which is due to be installed in the Debian FTP archive:

iscsitarget-source_0.4.15-4+lenny1_all.deb
  to pool/main/i/iscsitarget/iscsitarget-source_0.4.15-4+lenny1_all.deb
iscsitarget_0.4.15-4+lenny1.diff.gz
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-4+lenny1.diff.gz
iscsitarget_0.4.15-4+lenny1.dsc
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-4+lenny1.dsc
iscsitarget_0.4.15-4+lenny1_i386.deb
  to pool/main/i/iscsitarget/iscsitarget_0.4.15-4+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated iscsitarget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Dec 2007 13:56:03 +0100
Source: iscsitarget
Binary: iscsitarget iscsitarget-source
Architecture: source i386 all
Version: 0.4.15-4+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Philipp Hug <debian@hug.cx>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 iscsitarget - iSCSI Enterprise Target userland tools
 iscsitarget-source - iSCSI Enterprise Target kernel module source
Closes: 448873
Changes: 
 iscsitarget (0.4.15-4+lenny1) testing-security; urgency=high
 .
   * Fix /etc/ietd.conf permissions (CVE-2007-5827; Closes: #448873).
Files: 
 e674960eb25684a6f144eb3e2298cfad 672 net optional iscsitarget_0.4.15-4+lenny1.dsc
 81390e388d87e3cc17383ef5f4322c28 102922 net optional iscsitarget_0.4.15.orig.tar.gz
 62f187cc5a6c98a07e309422ff9047ea 5214 net optional iscsitarget_0.4.15-4+lenny1.diff.gz
 9a9fdaa44012d7660f71cd44d4b2cc07 52406 net optional iscsitarget_0.4.15-4+lenny1_i386.deb
 326e7c7bc6d8fb52f967ba0c6bf0dfcd 39952 net optional iscsitarget-source_0.4.15-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHcP7kHYflSXNkfP8RAnokAKCj/q87S0R0cPzMxA3w++eiCrMebwCgrKr+
CFFJ1lYPVh0w7ePEBWHiLWE=
=OzHg
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jan 2008 07:33:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:19:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.