Debian Bug report logs -
#528252
zoneminder: conf file permissions need to be more restrictive
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Mon, 11 May 2009 17:48:04 UTC
Severity: normal
Tags: security
Fixed in version zoneminder/1.24.1-1
Done: Peter Howard <pjh@northern-ridge.com.au>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#528252; Package zoneminder.
(Mon, 11 May 2009 17:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Peter Howard <pjh@northern-ridge.com.au>.
(Mon, 11 May 2009 17:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zoneminder
Severity: normal
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for zoneminder.
CVE-2008-6755[0]:
| ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to
| the apache user account, and sets the permissions to 0600, which makes
| it easier for remote attackers to modify this file by accessing it
| through a (1) PHP or (2) CGI script.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6755
http://security-tracker.debian.net/tracker/CVE-2008-6755
Reply sent
to Peter Howard <pjh@northern-ridge.com.au>:
You have taken responsibility.
(Tue, 02 Jun 2009 05:42:08 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Tue, 02 Jun 2009 05:42:08 GMT) (full text, mbox, link).
Message #10 received at 528252-close@bugs.debian.org (full text, mbox, reply):
Source: zoneminder
Source-Version: 1.24.1-1
We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive:
zoneminder_1.24.1-1.diff.gz
to pool/main/z/zoneminder/zoneminder_1.24.1-1.diff.gz
zoneminder_1.24.1-1.dsc
to pool/main/z/zoneminder/zoneminder_1.24.1-1.dsc
zoneminder_1.24.1-1_i386.deb
to pool/main/z/zoneminder/zoneminder_1.24.1-1_i386.deb
zoneminder_1.24.1.orig.tar.gz
to pool/main/z/zoneminder/zoneminder_1.24.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 528252@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Howard <pjh@northern-ridge.com.au> (supplier of updated zoneminder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 May 2009 07:02:50 +1000
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.1-1
Distribution: unstable
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Peter Howard <pjh@northern-ridge.com.au>
Description:
zoneminder - Linux video camera security and surveillance solution
Closes: 486064 497640 526918 528252
Changes:
zoneminder (1.24.1-1) unstable; urgency=high
.
* Initial release of zoneminder 1.24.1, closing CVE-2008-3882,
CVE-2008-3881, CVE-2008-3880
(closes: #497640)
* Change syslog dependency to rsyslog.
(closes: #526918)
* Add missing perl depenency.
* Restore patch to disable "check for updates" by default.
* Removed spurious '$' in init script.
(closes: #486064)
* Change permission of zm.conf from 0600 to 0400 for CVE-2008-6755
(closes: #528252)
Checksums-Sha1:
cf1110cd5560c692a3b6651de4558a55d72cf690 1358 zoneminder_1.24.1-1.dsc
dbfc665434913564993403711e9dd3a85a72158c 894667 zoneminder_1.24.1.orig.tar.gz
e33036cb76d819e77209055e8f79c1861cd8ced8 34335 zoneminder_1.24.1-1.diff.gz
b3cf4c223d9bceb497640a9f1545feca21eb6846 1409582 zoneminder_1.24.1-1_i386.deb
Checksums-Sha256:
1d4578fdeb98b6edc18a9734799f33810d5c2aa980d73ac0da6a5b5193959486 1358 zoneminder_1.24.1-1.dsc
53a1514413cb401e0945fad009483e560a9a4d2e0ba40350988ca87fbb860ab2 894667 zoneminder_1.24.1.orig.tar.gz
b5ae1df341ae295d1c64eed348498bb86fbc2be1d1d3268541508c98ed40f70e 34335 zoneminder_1.24.1-1.diff.gz
577f7d113cd3abed23af98ed4aa8524b35c6589f2b967cbb4213374a3369e47e 1409582 zoneminder_1.24.1-1_i386.deb
Files:
cab6c87427894ae5a8cf13f07e7c7d09 1358 net optional zoneminder_1.24.1-1.dsc
1e4ce392d645cbb28037ecebc5a56584 894667 net optional zoneminder_1.24.1.orig.tar.gz
b16b05e0148974f30224c41f85817073 34335 net optional zoneminder_1.24.1-1.diff.gz
413f13e249d32e110aed83ab2e41c83e 1409582 net optional zoneminder_1.24.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoksi4ACgkQCfB0CMh//C+UnQCeIhFae6h8jdDy6v2LWz8SSjkB
88MAoKAhjaN3XLY3ROhbEmJmmgTR7/0H
=23sC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 02 Jul 2009 07:43:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:40:55 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon