[pkg-firebird-general] Bug#481389: [Secure-testing-team] Bug#481389: Debian package allows passwordless SYSDBA remote connections
Damyan Ivanov
dmn at debian.org
Thu May 15 20:38:03 UTC 2008
-=| Nico Golde, Thu, May 15, 2008 at 10:09:41PM +0200 |=-
> * Damyan Ivanov <dmn at debian.org> [2008-05-15 20:32]:
> >
> > The only reason for this to not be of critical severity is that database
> > services are typically firewalled.
> >
> [...]
> As far as I can see that firebird is disabled after the
> installation and needs to be dpkg-reconfigure'ed which will
> ask for a password or set a random one.
Right. I was just to add this as another reason for preferring 'grave'
over 'critical'.
Still, I estimate the installations with dpkg-reconfigure-enabled
servers to be more than the ones that are kept disabled.
Another addition: as the fix is in a conffile, perhaps some words
encouraging admins to accept the new version would be in order for the
advisory.
--
dam JabberID: dam at jabber.minus273.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20080515/35b802a6/attachment-0001.pgp
More information about the pkg-firebird-general
mailing list