freenet6: chmod go-r /etc/freenet6/tspc.conf to hide passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freenet6 (Debian) |
Fix Released
|
Unknown
|
|||
freenet6 (Ubuntu) |
Fix Released
|
High
|
Fabio Massimo Di Nitto |
Bug Description
Automatically imported from Debian bug report #254709 http://
CVE References
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : Re: Bug#254709: freenet6: chmod go-r /etc/freenet6/tspc.conf to hide passwords | #1 |
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : this is a serious security issue | #2 |
severity 254709 serious
tags 254709 + security
thanks
Hi,
this is not wishlist but rather serious. you have world readable passwords
sitting in /etc/freenet6/
Greetings
Martin
--
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : Re: Bug#254709: this is a serious security issue | #3 |
hi :)
On Tue, Sep 07, 2004 at 06:03:05PM +0200, Martin Zobel-Helas wrote:
> this is not wishlist but rather serious. you have world readable passwords
> sitting in /etc/freenet6/
is this file really created readable on new installations?
I thought it was a leftover from previous versions.
--
Martin Waitz
Debian Bug Importer (debzilla) wrote : | #4 |
Automatically imported from Debian bug report #254709 http://
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Wed, 16 Jun 2004 16:51:30 +0200
From: Simon Josefsson <email address hidden>
To: <email address hidden>
Subject: freenet6: chmod go-r /etc/freenet6/
Package: freenet6
Version: 1.0-2
Severity: wishlist
Hello. I think it might be nice to make the tspc.conf file readable
only to root, since it may contain passwords. People adding a
password might forget to change permissions.
Thanks,
Simon
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Thu, 17 Jun 2004 08:46:08 +0200
From: Martin Waitz <email address hidden>
To: Simon Josefsson <email address hidden>, <email address hidden>
Subject: Re: Bug#254709: freenet6: chmod go-r /etc/freenet6/
--agiWCrAZ2JOwsdBK
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi :)
On Wed, Jun 16, 2004 at 04:51:30PM +0200, Simon Josefsson wrote:
> Hello. I think it might be nice to make the tspc.conf file readable
> only to root, since it may contain passwords. People adding a
> password might forget to change permissions.
nice catch, will be in the next version.
thanks.
--=20
Martin Waitz
--agiWCrAZ2JOwsdBK
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA0Twrj/
dbPKG4ynyZSgpOV
=VR7n
-----END PGP SIGNATURE-----
--agiWCrAZ2JOws
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Tue, 7 Sep 2004 18:03:05 +0200
From: Martin Zobel-Helas <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: this is a serious security issue
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-
Content-
severity 254709 serious
tags 254709 + security
thanks
Hi,
this is not wishlist but rather serious. you have world readable passwords
sitting in /etc/freenet6/
Greetings
Martin
--=20
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
--k1lZvvs/B4yU6o8G
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPdu4eSm
QOYTQGJYngZZa/
=nmB3
-----END PGP SIGNATURE-----
--k1lZvvs/
Thom May (thombot) wrote : | #8 |
Not a package we care about.
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Tue, 7 Sep 2004 18:44:40 +0200
From: Martin Waitz <email address hidden>
To: Martin Zobel-Helas <email address hidden>, <email address hidden>
Subject: Re: Bug#254709: this is a serious security issue
--87MiR7gHvrw39A9h
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi :)
On Tue, Sep 07, 2004 at 06:03:05PM +0200, Martin Zobel-Helas wrote:
> this is not wishlist but rather serious. you have world readable passwords
> sitting in /etc/freenet6/
is this file really created readable on new installations?
I thought it was a leftover from previous versions.
--=20
Martin Waitz
--87MiR7gHvrw39A9h
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBPeV2j/
zrWo+YL5Zxp6JiZ
=B0ru
-----END PGP SIGNATURE-----
--87MiR7gHvrw39
In Debian Bug tracker #254709, Matt Zimmerman (mdz) wrote : Re: /etc/freenet6/tspc.conf is world readable and contains passwords | #10 |
On Tue, Sep 07, 2004 at 05:54:14PM +0200, Martin Zobel-Helas wrote:
> i am not sure wether this is the right place to contact, but i found
> /etc/freenet6/
> the source package of freenet6 confirmed my fears: /etc/freenet6/
> world readable. This file contains the username and the password to use to
> contact the IPv6 tunnelbroker freenet6.net.
>
> This effects both packages in woody and in sarge.
>
> I will also set #254709 to serious and tag it security.
Please forward a copy of the patch to <email address hidden> if this issue
also affects 0.9.6-1 in woody.
--
- mdz
Matt Zimmerman (mdz) wrote : | #11 |
freenet6 is in supported
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Tue, 7 Sep 2004 11:58:44 -0700
From: Matt Zimmerman <email address hidden>
To: Martin Zobel-Helas <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: /etc/freenet6/
On Tue, Sep 07, 2004 at 05:54:14PM +0200, Martin Zobel-Helas wrote:
> i am not sure wether this is the right place to contact, but i found
> /etc/freenet6/
> the source package of freenet6 confirmed my fears: /etc/freenet6/
> world readable. This file contains the username and the password to use to
> contact the IPv6 tunnelbroker freenet6.net.
>
> This effects both packages in woody and in sarge.
>
> I will also set #254709 to serious and tag it security.
Please forward a copy of the patch to <email address hidden> if this issue
also affects 0.9.6-1 in woody.
--
- mdz
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : Re: Bug#254709: /etc/freenet6/tspc.conf is world readable and contains passwords | #13 |
hi :)
> On Tue, Sep 07, 2004 at 05:54:14PM +0200, Martin Zobel-Helas wrote:
> > i am not sure wether this is the right place to contact, but i found
> > /etc/freenet6/
arg, it is explicitly installed -m 0600 but dh_fixperms ''fixes'' that.
The fix is to add -Xtspc.conf to the dh_fixperms call in debian/rules.
On Tue, Sep 07, 2004 at 11:58:44AM -0700, Matt Zimmerman wrote:
> Please forward a copy of the patch to <email address hidden> if this issue
> also affects 0.9.6-1 in woody.
confirmed, all versions are affected.
--
Martin Waitz
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Tue, 7 Sep 2004 22:35:50 +0200
From: Martin Waitz <email address hidden>
To: Martin Zobel-Helas <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#254709: /etc/freenet6/
--NYEXl3WhqsXurSTm
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi :)
> On Tue, Sep 07, 2004 at 05:54:14PM +0200, Martin Zobel-Helas wrote:
> > i am not sure wether this is the right place to contact, but i found
> > /etc/freenet6/
arg, it is explicitly installed -m 0600 but dh_fixperms ''fixes'' that.
The fix is to add -Xtspc.conf to the dh_fixperms call in debian/rules.
On Tue, Sep 07, 2004 at 11:58:44AM -0700, Matt Zimmerman wrote:
> Please forward a copy of the patch to <email address hidden> if this is=
sue
> also affects 0.9.6-1 in woody.
confirmed, all versions are affected.
--=20
Martin Waitz
--NYEXl3WhqsXurSTm
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBPhukj/
QlOi7qfOD1f5+
=Aw4s
-----END PGP SIGNATURE-----
--NYEXl3WhqsXur
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : | #15 |
hi :)
I won't have the possibility to upload a new version of freenet6 in the
next one or two weeks. I'd appreciate it if anybody could NMU to fix this bug.
--
Martin Waitz
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 09:10:32 +0200
From: Martin Waitz <email address hidden>
To: <email address hidden>
Subject: Re: Bug#254709: /etc/freenet6/
--Hy4a9G0dOYssRJVI
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi :)
I won't have the possibility to upload a new version of freenet6 in the
next one or two weeks. I'd appreciate it if anybody could NMU to fix this b=
ug.
--=20
Martin Waitz
--Hy4a9G0dOYssRJVI
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBPrBnj/
qqW453zGJuvVbN4
=eyEY
-----END PGP SIGNATURE-----
--Hy4a9G0dOYssR
In Debian Bug tracker #254709, Fabio Massimo Di Nitto (fabbione) wrote : NMU? | #17 |
Hi,
if nobody is working on it, I will prepare the NMU, but fixing the
permission at build time is not enough. We need to change permission on
upgrades and warn the user, probably via debconf, that the password might
be compromised.
Martin do you have any objections to this change?
Fabio
--
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : Re: Bug#254709: /etc/freenet6/tspc.conf is world readable and contains passwords | #18 |
tags 254709 + patch
thanks
see attached patch
--
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
In Debian Bug tracker #254709, Andreas Barth (aba) wrote : Uploaded NMU | #19 |
Hi,
I uploaded an NMU with Martins patch.
Cheers,
Andi
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : Fixed in NMU of freenet6 1.0-2.1 | #20 |
tag 254709 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 8 Sep 2004 09:46:08 +0200
Source: freenet6
Binary: freenet6
Architecture: source i386
Version: 1.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Martin Waitz <email address hidden>
Changed-By: Martin Zobel-Helas <email address hidden>
Description:
freenet6 - Client to configure an IPv6 tunnel to freenet6
Closes: 254709
Changes:
freenet6 (1.0-2.1) unstable; urgency=high
.
* NMU
* fix permission of file /etc/freenet6/
* added debconf-note about world-readable passwords
Files:
96841aa620568d
136fc1bfe58135
1196360cc558fd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iEYEARECAAYFAkE
n3kAoKQl95MPP+
=kaTB
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 11:15:30 +0200 (CEST)
From: Fabio Massimo Di Nitto <email address hidden>
To: <email address hidden>
Subject: NMU?
Hi,
if nobody is working on it, I will prepare the NMU, but fixing the
permission at build time is not enough. We need to change permission on
upgrades and warn the user, probably via debconf, that the password might
be compromised.
Martin do you have any objections to this change?
Fabio
--
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : for woody | #22 |
tags 254709 - fixed
tags 254709 + woody
thanks
--
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : add tag + sarge | #23 |
tags 254709 + sarge
thanks
To make sure we don't release buggy freenet6 with sarge.
--
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
Debian Bug Importer (debzilla) wrote : | #24 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 11:36:19 +0200
From: Martin Zobel-Helas <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#254709: /etc/freenet6/
--s2ZSL+KKDSLx8OML
Content-Type: multipart/mixed; boundary=
Content-
--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 254709 + patch
thanks
see attached patch
--=20
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -rNu freenet6-
--- freenet6-
+++ freenet6-
@@ -1,3 +1,11 @@
+freenet6 (1.0-2.1) unstable; urgency=3Dhigh
+
+ * NMU
+ * fix permission of file /etc/freenet6/
+ * added debconf-note about world-readable passwords
+
+ -- Martin Zobel-Helas <email address hidden> Wed, 8 Sep 2004 09:46:08 +0200
+
freenet6 (1.0-2) unstable; urgency=3Dlow
=20
* fix check in initscript, thanks Nelson Castillo (Closes: #221886)
diff -rNu freenet6-
--- freenet6-
+++ freenet6-
@@ -7,7 +7,7 @@
=20
Package: freenet6
Architecture: any
-Depends: ${shlibs:Depends}, net-tools, iproute
+Depends: ${shlibs:Depends}, net-tools, iproute, debconf, stat | coreutils
Suggests: radvd
Description: Client to configure an IPv6 tunnel to freenet6
Providing tspc, a Tunnel Server Protocol Client, this Package allows an e=
asy
diff -rNu freenet6-
eenet6.templates
--- freenet6-
100
+++ freenet6-
0 +0200
@@ -0,0 +1,10 @@
+Template: freenet6/passwords
+Type: note
+Description: information about readable passwords
+ freenet6 up to version 1.0-2 has the permissions of
+ /etc/freenet6/
+ the tunnel broker link set in this file.
+ I will now make the file 600, but if you have local users that you=20
+ don't trust, you should ask Freenet6.net to change your password and
+ change it in /etc/freenet6/
+
diff -rNu freenet6-
--- freenet6-
+++ freenet6-
@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+. /usr/share/
+
+if [ `stat -c%a /etc/freenet6/
Debian Bug Importer (debzilla) wrote : | #25 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 12:10:31 +0200
From: Andreas Barth <email address hidden>
To: <email address hidden>
Subject: Uploaded NMU
Hi,
I uploaded an NMU with Martins patch.
Cheers,
Andi
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : Re: Fixed in NMU of freenet6 1.0-2.1 | #26 |
hi :)
On Wed, Sep 08, 2004 at 06:32:09AM -0400, Martin Zobel-Helas wrote:
> * NMU
> * fix permission of file /etc/freenet6/
> * added debconf-note about world-readable passwords
thanks for the NMU.
Is the debconf notice only displayed when the file is infact
world-readable and does include a password?
I really don't want to show any warning if there is nothing to warn
about.
--
Martin Waitz
Fabio Massimo Di Nitto (fabbione) wrote : | #27 |
Sync requested
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : | #28 |
hi again :)
I just downloaded your NMU from incoming.d.o
could you please add something similar to
--- postinst.nmu Wed Sep 8 14:07:54 2004
+++ postinst.new Wed Sep 8 14:07:18 2004
@@ -5,7 +5,8 @@
# this is needed to set the permissions right for upgrades from woody etc
# afterwards, also dependency on debconf, stat | coreutils could be dropped
-if [ `stat -c%a /etc/freenet6/
+if [ `stat -c%a /etc/freenet6/
+ `grep ^passwd /etc/freenet6` != "passwd=" ]; then
db_input high freenet6/passwords || true
db_go || true
(I can't test that at the moment, sorry)
If that works, please send the complete patch to <email address hidden>
as requested by Matt Zimmerman.
and thank you very much for your help! :)
--
Martin Waitz
Debian Bug Importer (debzilla) wrote : | #29 |
Message-Id: <email address hidden>
Date: Wed, 08 Sep 2004 06:32:09 -0400
From: Martin Zobel-Helas <email address hidden>
To: <email address hidden>
Cc: Martin Zobel-Helas <email address hidden>, Martin Waitz <email address hidden>
Subject: Fixed in NMU of freenet6 1.0-2.1
tag 254709 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 8 Sep 2004 09:46:08 +0200
Source: freenet6
Binary: freenet6
Architecture: source i386
Version: 1.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Martin Waitz <email address hidden>
Changed-By: Martin Zobel-Helas <email address hidden>
Description:
freenet6 - Client to configure an IPv6 tunnel to freenet6
Closes: 254709
Changes:
freenet6 (1.0-2.1) unstable; urgency=high
.
* NMU
* fix permission of file /etc/freenet6/
* added debconf-note about world-readable passwords
Files:
96841aa620568d
136fc1bfe58135
1196360cc558fd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iEYEARECAAYFAkE
n3kAoKQl95MPP+
=kaTB
-----END PGP SIGNATURE-----
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : | #30 |
Martin Waitz wrote:
> hi :)
>
> On Wed, Sep 08, 2004 at 06:32:09AM -0400, Martin Zobel-Helas wrote:
> > * NMU
> > * fix permission of file /etc/freenet6/
> > * added debconf-note about world-readable passwords
>
> thanks for the NMU.
> Is the debconf notice only displayed when the file is infact
> world-readable and does include a password?
> I really don't want to show any warning if there is nothing to warn
> about.
currently the debconf notice is displayed only if the file is different to 600
but even when it contains no password.
one could fix the it by adding something like:
if [ `stat -c%a /etc/freenet6/
if ! [ `grep "^passwd=$" /etc/freenet6/
fi
chmod 600 /etc/freenet6/
fi
Greetings
Martin
--
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
Debian Bug Importer (debzilla) wrote : | #31 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 12:58:18 +0200
From: Martin Zobel-Helas <email address hidden>
To: <email address hidden>
Subject: for woody
--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 254709 - fixed
tags 254709 + woody
thanks
--=20
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
--BOKacYhQ+x31HxR3
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPuXKeSm
f2qm3X3BiJML1nK
=467m
-----END PGP SIGNATURE-----
--BOKacYhQ+
Debian Bug Importer (debzilla) wrote : | #32 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 13:11:23 +0200
From: Martin Zobel-Helas <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: add tag + sarge
--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 254709 + sarge
thanks
To make sure we don't release buggy freenet6 with sarge.
--=20
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
--k+w/mQv8wyuph6w0
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPujbeSm
U4iXYs3+
=WMwq
-----END PGP SIGNATURE-----
--k+w/mQv8wyuph
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : | #33 |
hi :)
On Wed, Sep 08, 2004 at 02:16:55PM +0200, Martin Zobel-Helas wrote:
> if [ `stat -c%a /etc/freenet6/
> if ! [ `grep "^passwd=$" /etc/freenet6/
> db_input high freenet6/passwords || true
> db_go || true
> fi
> chmod 600 /etc/freenet6/
> fi
that looks great!
could you please include that check in a new upload
(and pass on a patch to the security team, as requested)
thanks a lot!
--
Martin Waitz
Debian Bug Importer (debzilla) wrote : | #34 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 14:00:13 +0200
From: Martin Waitz <email address hidden>
To: Martin Zobel-Helas <email address hidden>
Cc: <email address hidden>
Subject: Re: Fixed in NMU of freenet6 1.0-2.1
--1RfOVxRbNnn9f8MI
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi :)
On Wed, Sep 08, 2004 at 06:32:09AM -0400, Martin Zobel-Helas wrote:
> * NMU
> * fix permission of file /etc/freenet6/
> * added debconf-note about world-readable passwords
thanks for the NMU.
Is the debconf notice only displayed when the file is infact
world-readable and does include a password?
I really don't want to show any warning if there is nothing to warn
about.
--=20
Martin Waitz
--1RfOVxRbNnn9f8MI
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBPvNaj/
fztmGrY0q5PxTGJ
=ao/K
-----END PGP SIGNATURE-----
--1RfOVxRbNnn9f
Debian Bug Importer (debzilla) wrote : | #35 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 14:13:01 +0200
From: Martin Waitz <email address hidden>
To: Martin Zobel-Helas <email address hidden>
Cc: <email address hidden>
Subject: Re: Fixed in NMU of freenet6 1.0-2.1
--W/IQTGW+1SjCkQmn
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi again :)
I just downloaded your NMU from incoming.d.o
could you please add something similar to
--- postinst.nmu Wed Sep 8 14:07:54 2004
+++ postinst.new Wed Sep 8 14:07:18 2004
@@ -5,7 +5,8 @@
# this is needed to set the permissions right for upgrades from woody etc
# afterwards, also dependency on debconf, stat | coreutils could be dropped
-if [ `stat -c%a /etc/freenet6/
+if [ `stat -c%a /etc/freenet6/
+ `grep ^passwd /etc/freenet6` !=3D "passwd=3D" ]; then
db_input high freenet6/passwords || true
db_go || true
=20
(I can't test that at the moment, sorry)
If that works, please send the complete patch to <email address hidden>
as requested by Matt Zimmerman.
and thank you very much for your help! :)
--=20
Martin Waitz
--W/IQTGW+1SjCkQmn
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBPvdMj/
bYK98Vv66HorFYy
=iAzA
-----END PGP SIGNATURE-----
--W/IQTGW+
Debian Bug Importer (debzilla) wrote : | #36 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 14:16:55 +0200
From: Martin Zobel-Helas <email address hidden>
To: Martin Waitz <email address hidden>
Cc: <email address hidden>
Subject: Re: Fixed in NMU of freenet6 1.0-2.1
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Martin Waitz wrote:
> hi :)
>=20
> On Wed, Sep 08, 2004 at 06:32:09AM -0400, Martin Zobel-Helas wrote:
> > * NMU
> > * fix permission of file /etc/freenet6/
> > * added debconf-note about world-readable passwords
>=20
> thanks for the NMU.
> Is the debconf notice only displayed when the file is infact
> world-readable and does include a password?
> I really don't want to show any warning if there is nothing to warn
> about.
currently the debconf notice is displayed only if the file is different to =
600
but even when it contains no password.
one could fix the it by adding something like:
if [ `stat -c%a /etc/freenet6/
if ! [ `grep "^passwd=3D$" /etc/freenet6/
fi
chmod 600 /etc/freenet6/
fi
Greetings
Martin
--=20
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
--GvXjxJ+pjyke8COw
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPvg3eSm
zqi4Ru5jFoic9Te
=Kfmb
-----END PGP SIGNATURE-----
--GvXjxJ+
In Debian Bug tracker #254709, Martin Zobel-Helas (zobel) wrote : | #37 |
Martin Waitz wrote:
> If that works, please send the complete patch to <email address hidden>
> as requested by Matt Zimmerman.
>
>
> and thank you very much for your help! :)
Hi,
here comes the full patch for the NMU (including first and second NMU), which
was adjusted on the wish of the maintainer.
Greetings
Martin
--
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
Debian Bug Importer (debzilla) wrote : | #38 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 14:53:06 +0200
From: Martin Waitz <email address hidden>
To: Martin Zobel-Helas <email address hidden>
Cc: <email address hidden>
Subject: Re: Fixed in NMU of freenet6 1.0-2.1
--KtWcatouGV9Nk9BU
Content-Type: text/plain; charset=us-ascii
Content-
Content-
hi :)
On Wed, Sep 08, 2004 at 02:16:55PM +0200, Martin Zobel-Helas wrote:
> if [ `stat -c%a /etc/freenet6/
> if ! [ `grep "^passwd=3D$" /etc/freenet6/
> db_input high freenet6/passwords || true
> db_go || true
> fi
> chmod 600 /etc/freenet6/
> fi
that looks great!
could you please include that check in a new upload
(and pass on a patch to the security team, as requested)
thanks a lot!
--=20
Martin Waitz
--KtWcatouGV9Nk9BU
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBPwCxj/
yE1WldBcIcIGwzE
=0emu
-----END PGP SIGNATURE-----
--KtWcatouGV9Nk
Debian Bug Importer (debzilla) wrote : | #39 |
Message-ID: <email address hidden>
Date: Wed, 8 Sep 2004 16:05:17 +0200
From: Martin Zobel-Helas <email address hidden>
To: Martin Waitz <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Fixed in NMU of freenet6 1.0-2.1
--FkmkrVfFsRoUs1wW
Content-Type: multipart/mixed; boundary=
Content-
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Martin Waitz wrote:
> If that works, please send the complete patch to <email address hidden>
> as requested by Matt Zimmerman.
>=20
>=20
> and thank you very much for your help! :)
Hi,
here comes the full patch for the NMU (including first and second NMU), whi=
ch=20
was adjusted on the wish of the maintainer.
Greetings
Martin
--=20
Martin Zobel-Helas <email address hidden> or <email address hidden>
http://
GPGKey-
.
Please don't CC me, I am reading the lists I am posting to.
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -rNu freenet6-
--- freenet6-
+++ freenet6-
@@ -1,3 +1,18 @@
+freenet6 (1.0-2.2) unstable; urgency=3Dhigh
+
+ * NMU
+ * modified postinst to only display debconf notice when password is not =
empty
+
+ -- Martin Zobel-Helas <email address hidden> Wed, 8 Sep 2004 15:23:28 +0200
+
+freenet6 (1.0-2.1) unstable; urgency=3Dhigh
+
+ * NMU
+ * fix permission of file /etc/freenet6/
+ * added debconf-note about world-readable passwords
+
+ -- Martin Zobel-Helas <email address hidden> Wed, 8 Sep 2004 09:46:08 +0200
+
freenet6 (1.0-2) unstable; urgency=3Dlow
=20
* fix check in initscript, thanks Nelson Castillo (Closes: #221886)
diff -rNu freenet6-
--- freenet6-
+++ freenet6-
@@ -7,7 +7,7 @@
=20
Package: freenet6
Architecture: any
-Depends: ${shlibs:Depends}, net-tools, iproute
+Depends: ${shlibs:Depends}, net-tools, iproute, debconf, stat | coreutils
Suggests: radvd
Description: Client to configure an IPv6 tunnel to freenet6
Providing tspc, a Tunnel Server Protocol Client, this Package allows an e=
asy
diff -rNu freenet6-
eenet6.templates
--- freenet6-
100
+++ freenet6-
0 +0200
@@ -0,0 +1,10 @@
+Template: freenet6/passwords
+Type: note
+Description: information about readable passwords
+ freenet6 up to version 1.0-2 has the permissions of
+ /etc/freenet6/
+ the tunnel broker link set in this file.
+ I will n...
Matt Zimmerman (mdz) wrote : | #40 |
It looks like the maintainer has made further adjustments to his fix; which one
do we want?
Fabio Massimo Di Nitto (fabbione) wrote : | #41 |
sync requested
Matt Zimmerman (mdz) wrote : | #42 |
sync complete
In Debian Bug tracker #254709, Martin Schulze (joey-infodrom) wrote : | #43 |
Martin Zobel-Helas wrote:
> Martin Waitz wrote:
> > If that works, please send the complete patch to <email address hidden>
> > as requested by Matt Zimmerman.
> >
> >
> > and thank you very much for your help! :)
>
> Hi,
>
> here comes the full patch for the NMU (including first and second NMU), which
> was adjusted on the wish of the maintainer.
Please mention CAN-2004-0563 in the changelog so we can track this isssssue
more easily.
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #44 |
Message-ID: <email address hidden>
Date: Mon, 13 Sep 2004 23:24:15 +0200
From: Martin Schulze <email address hidden>
To: Martin Zobel-Helas <email address hidden>
Cc: Martin Waitz <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Fixed in NMU of freenet6 1.0-2.1
Martin Zobel-Helas wrote:
> Martin Waitz wrote:
> > If that works, please send the complete patch to <email address hidden>
> > as requested by Matt Zimmerman.
> >
> >
> > and thank you very much for your help! :)
>
> Hi,
>
> here comes the full patch for the NMU (including first and second NMU), which
> was adjusted on the wish of the maintainer.
Please mention CAN-2004-0563 in the changelog so we can track this isssssue
more easily.
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #254709, Steve Langasek (vorlon) wrote : | #45 |
tags 254709 - sarge
thanks
The fixed package has reached testing.
--
Steve Langasek
postmodern programmer
Debian Bug Importer (debzilla) wrote : | #46 |
Message-ID: <email address hidden>
Date: Tue, 14 Sep 2004 03:58:45 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: freenet6: chmod go-r /etc/freenet6/
tags 254709 - sarge
thanks
The fixed package has reached testing.
--
Steve Langasek
postmodern programmer
In Debian Bug tracker #254709, Martin Waitz (tali) wrote : Fixed in upload of tspc 2.1.1-1 to experimental | #47 |
tag 113325 + fixed-in-
tag 254709 + fixed-in-
tag 270480 + fixed-in-
tag 271947 + fixed-in-
tag 274864 + fixed-in-
tag 280029 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 5 Oct 2004 23:56:32 +0200
Source: tspc
Binary: freenet6 tspc
Architecture: source i386 all
Version: 2.1.1-1
Distribution: experimental
Urgency: low
Maintainer: Martin Waitz <email address hidden>
Changed-By: Martin Waitz <email address hidden>
Description:
freenet6 - IPv6 tunnel to freenet6 (transitional package)
tspc - Client to configure an IPv6 tunnel to freenet6
Closes: 113325 254709 270480 271947 274864 280029
Changes:
tspc (2.1.1-1) experimental; urgency=low
.
* New upstream release (Closes: #274864, #270480)
- has a daemon mode to renew tunnel (Closes: #113325)
- creates 2000/3 route (Closes: #280029)
* use po-debconf (thanks Martin Quinson) (Closes: #271947)
* use CDBS and quilt for packaging
* Acknowlege NMU, thanks Martin -- CAN-2004-0563 (Closes: #254709)
Files:
7ffe7c13fefe56
65183cae002fea
c36e3678c77ddb
9109949d3e5cc4
7d0921633c19da
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBrlR5j/
TQdRvcgS8vd014d
=G5Rx
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #48 |
Message-Id: <email address hidden>
Date: Sun, 19 Dec 2004 00:44:22 -0500
From: Martin Waitz <email address hidden>
To: <email address hidden>
Cc: Martin Waitz <email address hidden>
Subject: Fixed in upload of tspc 2.1.1-1 to experimental
tag 113325 + fixed-in-
tag 254709 + fixed-in-
tag 270480 + fixed-in-
tag 271947 + fixed-in-
tag 274864 + fixed-in-
tag 280029 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 5 Oct 2004 23:56:32 +0200
Source: tspc
Binary: freenet6 tspc
Architecture: source i386 all
Version: 2.1.1-1
Distribution: experimental
Urgency: low
Maintainer: Martin Waitz <email address hidden>
Changed-By: Martin Waitz <email address hidden>
Description:
freenet6 - IPv6 tunnel to freenet6 (transitional package)
tspc - Client to configure an IPv6 tunnel to freenet6
Closes: 113325 254709 270480 271947 274864 280029
Changes:
tspc (2.1.1-1) experimental; urgency=low
.
* New upstream release (Closes: #274864, #270480)
- has a daemon mode to renew tunnel (Closes: #113325)
- creates 2000/3 route (Closes: #280029)
* use po-debconf (thanks Martin Quinson) (Closes: #271947)
* use CDBS and quilt for packaging
* Acknowlege NMU, thanks Martin -- CAN-2004-0563 (Closes: #254709)
Files:
7ffe7c13fefe56
65183cae002fea
c36e3678c77ddb
9109949d3e5cc4
7d0921633c19da
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBrlR5j/
TQdRvcgS8vd014d
=G5Rx
-----END PGP SIGNATURE-----
In Debian Bug tracker #254709, Martin Waitz (tali-admingilde) wrote : Fixed with new upstream version. | #49 |
hoi :)
tspc 2.1.1-2 has entered unstable fixing all those bugs.
For details, see the Changelogs for 2.1.1-1
--
Martin Waitz
Debian Bug Importer (debzilla) wrote : | #50 |
Message-ID: <email address hidden>
Date: Fri, 24 Dec 2004 21:25:56 +0100
From: Martin Waitz <email address hidden>
To: <email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>
Subject: Fixed with new upstream version.
hoi :)
tspc 2.1.1-2 has entered unstable fixing all those bugs.
For details, see the Changelogs for 2.1.1-1
--=20
Martin Waitz
Changed in freenet6: | |
status: | Unknown → Fix Released |
hi :)
On Wed, Jun 16, 2004 at 04:51:30PM +0200, Simon Josefsson wrote:
> Hello. I think it might be nice to make the tspc.conf file readable
> only to root, since it may contain passwords. People adding a
> password might forget to change permissions.
nice catch, will be in the next version.
thanks.
--
Martin Waitz