ports/88621: "portupgrade horde" overwrites config file
Heinrich Rebehn
rebehn at ant.uni-bremen.de
Mon Nov 7 19:40:17 UTC 2005
>Number: 88621
>Category: ports
>Synopsis: "portupgrade horde" overwrites config file
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 07 19:40:14 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Heinrich Rebehn
>Release: 5.4-RELEASE-p8
>Organization:
University of Bremen
>Environment:
FreeBSD antsrv1.ant.uni-bremen.de 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #18: Wed Oct 12 13:09:37 CEST 2005 root at antsrv1.ant.uni-bremen.de:/usr/obj/usr/src/sys/ANTSRV1 i386
>Description:
After portupgrading horde, the config file
/usr/local/www/horde/config/conf.php
is replaced by a default one which allows full admin access to horde
for everyone.
Although the install script kindly renames my customized config
file to 'conf.php.previous' so i do not have to restore it from
backup, i consider it a grave security bug, when after the upgrade
everyone is greeted "Welcome Administrator".
I upgraded to horde-3.0.6
>How-To-Repeat:
>Fix:
The install script should not replace the customized config files,
rather install the package provided ones as 'conf.php.new' or such,
so the admin can merge by hand.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list