Full Disclosure mailing list archives
[ GLSA 200807-10 ] Bacula: Information disclosure
From: Pierre-Yves Rofes <py () gentoo org>
Date: Mon, 21 Jul 2008 20:08:18 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bacula: Information disclosure Date: July 21, 2008 Bugs: #196834 ID: 200807-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in Bacula may allow local attackers to obtain sensitive information. Background ========== Bacula is a network based backup suite. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-backup/bacula < 2.4.1 >= 2.4.1 Description =========== Matthijs Kooijman reported that the "make_catalog_backup" script uses the MySQL password as a command line argument when invoking other programs. Impact ====== A local attacker could list the processes on the local machine when the script is running to obtain the MySQL password. Note: The password could also be disclosed via network sniffing attacks when the script fails, in which case it would be sent via cleartext e-mail. Workaround ========== There is no known workaround at this time. Resolution ========== A warning about this issue has been added in version 2.4.1, but the issue is still unfixed. We advise not to use the make_catalog_backup script, but to put all MySQL parameters into a dedicated file readable only by the user running Bacula. References ========== [ 1 ] CVE-2007-5626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhNCSuhJ+ozIKI5gRAh0rAJ0ZFhFvvbJqLAnQiCoYaOBoxEszWwCdH7Bz YvVI1E8ezQdFC8viPEVUEvs= =zejn -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 200807-10 ] Bacula: Information disclosure Pierre-Yves Rofes (Jul 21)