Hello, The /etc/piwi/config.pl is world readable. A malicious local user could obtain sensible informations such as login & password for mysql prelude - piwi access Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: This file is world readable Expected Results: This file should not be world readable
netmon please advise.
Valid for piwi-0.8.0.20031109-r2. Fixed in piwi-0.8.0.20031109-r3 piwi-0.8.0.20031109-r2: 1214849 4 -rw-r--r-- 1 root root 1103 May 5 18:32 ./etc/piwi/config.pl 1214850 4 -rw-r--r-- 1 root root 371 May 5 18:32 ./etc/piwi/piwi-apache.conf piwi-0.8.0.20031109-r3: 1214077 4 -rw-r----- 1 root root 1103 May 5 18:31 ./etc/piwi/config.pl 1214079 4 -rw-r--r-- 1 root root 371 May 5 18:31 ./etc/piwi/piwi-apache.conf Major outstanding bug on piwi - bug #66167 Aaron/Elead - is /etc/piwi/piwi-apache.conf a valid location for apache conf files. Thoughts on package removal?
netmon is this ready for stable marking?
Is this ready for stable marking or going to be masked?
There is still bug 66167 open regarding PIWI. Pesonally, I'd mask PIWI, prewikka should be able to replace it when an ebuild is available.
This is a default config bug... If you put passwords in clear in there, protect the file dammit. + If PIWI has an outstanding bug I agree it should be masked anyway.
Ok, there is a prewikka ebuild in the pipe on bug #87617. I'd say get it in the tree and remove piwi. netmon?
netmon please comment.
That prewikka ebuild is a bit funky and I am not sure it can just be pushed into the tree. Upstream made it tough to script an install in a sane manner. Still, I think piwi should be masked for future deletion. When prewikka gets in the tree, we can take piwi out.
Bug #66167 is not a regression. Either we should call arches to mark piwi-0.8.0.20031109-r3 stable or mask. netmon it's your package, what course of action do you propose?
prewikka was commited in bug #87617. This is the replacement for piwi. After a little more testing piwi will be removed and a package move entry piwi->prewikka. I just masked it too.
Thx Daniel
piwi removed from tree.
Ready to close.