[Secure-testing-team] Bug#579087: [prosody] Database directory, including plaintext password is world readable
Adrien Clerc
adrien at antipoul.fr
Sun Apr 25 08:35:11 UTC 2010
Package: prosody
Version: 0.6.2-1
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi,
It seems that /var/lib/prosody and all subdirectory and files are world
readable. Since those files can contain plaintext password, it is very
annoying for public servers.
Please make sure that database can only be read by the prosody user.
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.32-3-686
Debian Release: squeeze/sid
500 unstable ftp.fr.debian.org
--- Package information. ---
Depends (Version) | Installed
=======================================-+-==============
adduser | 3.112
openssl | 0.9.8n-1
lua5.1 |
liblua5.1-0 | 5.1.4-5
liblua5.1-expat0 |
liblua5.1-socket2 |
libc6 (>= 2.2) | 2.10.2-6
libidn11 (>= 1.13) | 1.18-1
libssl0.9.8 (>= 0.9.8m-1) | 0.9.8n-1
liblua5.1-filesystem0 |
Recommends (Version) | Installed
=============================-+-===========
liblua5.1-sec1 |
Package's Suggests field is empty.
More information about the Secure-testing-team
mailing list