diff options
author | tonnerre <tonnerre> | 2008-07-13 15:26:36 +0000 |
---|---|---|
committer | tonnerre <tonnerre> | 2008-07-13 15:26:36 +0000 |
commit | 8ec953cbb03746d9f7095c0732f9751ff79715d7 (patch) | |
tree | d53c7f6928dff2c8f703e70dc22a1b568504f2e2 | |
parent | cc90ac8895c6d5ad74e74d46aea238a6a0fef606 (diff) | |
download | pkgsrc-8ec953cbb03746d9f7095c0732f9751ff79715d7.tar.gz |
Add patches "solving" the issue of bacula exposing passwords et cetera
through the command line parameters of various tools (CVE-2007-5626).
-rw-r--r-- | sysutils/bacula-doc/Makefile | 3 | ||||
-rw-r--r-- | sysutils/bacula-doc/distinfo | 7 | ||||
-rw-r--r-- | sysutils/bacula-doc/patches/patch-aa | 16 | ||||
-rw-r--r-- | sysutils/bacula-doc/patches/patch-ab | 47 | ||||
-rw-r--r-- | sysutils/bacula-doc/patches/patch-ac | 13 | ||||
-rw-r--r-- | sysutils/bacula-doc/patches/patch-ad | 13 | ||||
-rw-r--r-- | sysutils/bacula-doc/patches/patch-ae | 13 | ||||
-rw-r--r-- | sysutils/bacula/Makefile | 4 | ||||
-rw-r--r-- | sysutils/bacula/distinfo | 4 | ||||
-rw-r--r-- | sysutils/bacula/patches/patch-ab | 26 | ||||
-rw-r--r-- | sysutils/bacula/patches/patch-ak | 13 |
11 files changed, 154 insertions, 5 deletions
diff --git a/sysutils/bacula-doc/Makefile b/sysutils/bacula-doc/Makefile index 8b338a56115..893c9d665a0 100644 --- a/sysutils/bacula-doc/Makefile +++ b/sysutils/bacula-doc/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.15 2008/01/04 14:32:50 ghen Exp $ +# $NetBSD: Makefile,v 1.16 2008/07/13 15:26:36 tonnerre Exp $ DISTNAME= bacula-docs-2.0.2 +PKGREVISION= 1 PKGNAME= ${DISTNAME:S/docs/doc/} CATEGORIES= sysutils MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=bacula/} diff --git a/sysutils/bacula-doc/distinfo b/sysutils/bacula-doc/distinfo index fa9a75d4851..28f3054df46 100644 --- a/sysutils/bacula-doc/distinfo +++ b/sysutils/bacula-doc/distinfo @@ -1,5 +1,10 @@ -$NetBSD: distinfo,v 1.13 2007/01/31 17:59:10 ghen Exp $ +$NetBSD: distinfo,v 1.14 2008/07/13 15:26:36 tonnerre Exp $ SHA1 (bacula-docs-2.0.2.tar.gz) = a07c74b0c98f7afe0896f3f4908004e3984819e6 RMD160 (bacula-docs-2.0.2.tar.gz) = 14c6582e9dabc4448fb681be192f46835ba0cb30 Size (bacula-docs-2.0.2.tar.gz) = 29776690 bytes +SHA1 (patch-aa) = 04898ece4b4c13b50acf08dad16a76eea0fbfc7d +SHA1 (patch-ab) = e8320baae18f53f5091a0d0b662ec7e613cc1713 +SHA1 (patch-ac) = 829d3cff40f095f3d2e0959f8dbb368031d7c51b +SHA1 (patch-ad) = 16a4e438f0931d436d914440d98874dcf0b17467 +SHA1 (patch-ae) = ddcb2258ae20aec96904bf6b08672a413358ed13 diff --git a/sysutils/bacula-doc/patches/patch-aa b/sysutils/bacula-doc/patches/patch-aa new file mode 100644 index 00000000000..2bc02683d52 --- /dev/null +++ b/sysutils/bacula-doc/patches/patch-aa @@ -0,0 +1,16 @@ +$NetBSD: patch-aa,v 1.1 2008/07/13 15:26:36 tonnerre Exp $ + +--- manual/tips.tex.orig 2007-01-15 10:37:15.000000000 +0100 ++++ manual/tips.tex +@@ -598,6 +598,11 @@ setup procedure leaves the database open + assign the user {\bf bacula} a userid and add it to your Director's + configuration file in the appropriate Catalog resource. + ++If you use the make_catalog_backup script provided by Bacula, remember that ++you should take care when supplying passwords on the command line. Read the ++\ilink{BackingUpBaculaSecurityConsiderations}{Backing Up Your Bacula ++Database - Security Considerations } for more information. ++ + \section{Creating Holiday Schedules} + \label{holiday} + \index[general]{Schedules!Creating Holiday } diff --git a/sysutils/bacula-doc/patches/patch-ab b/sysutils/bacula-doc/patches/patch-ab new file mode 100644 index 00000000000..63dbe364b49 --- /dev/null +++ b/sysutils/bacula-doc/patches/patch-ab @@ -0,0 +1,47 @@ +$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $ + +--- manual/catmaintenance.tex.orig 2007-01-05 18:20:40.000000000 +0100 ++++ manual/catmaintenance.tex +@@ -545,6 +545,8 @@ Job { + Storage = DLTDrive + Messages = Standard + Pool = Default ++ # WARNING!!! Passing the password via the command line is insecure. ++ # see comments in make_catalog_backup for details. + RunBeforeJob = "/home/kern/bacula/bin/make_catalog_backup" + RunAfterJob = "/home/kern/bacula/bin/delete_catalog_backup" + Write Bootstrap = "/home/kern/bacula/working/BackupCatalog.bsr" +@@ -573,6 +575,33 @@ you to quickly recover the database back + you do not have a bootstrap file, it is still possible to recover your + database backup, but it will be more work and take longer. + ++ ++\label{BackingUpBaculaSecurityConsiderations} ++\section{Security considerations} ++\index[general]{Backing Up Your Bacula Database - Security Considerations } ++\index[general]{Database!Backing Up Your Bacula Database - Security Considerations } ++ ++We provide make_catalog_backup as an example of what can be used to backup ++your Bacula database. We expect you to take security precautions relevant ++to your situation. make_catalog_backup is designed to take a password on ++the command line. This is fine on machines with only trusted users. It is ++not acceptable on machines without trusted users. Most database systems ++provide a alternative method, which does not place the password on the ++command line. ++ ++The make_catalog_backup contains some warnings about how to use it. Please ++read those tips. ++ ++To help you get started, we know PostgreSQL has a password file, ++\elink{ ++.pgpass}{http://www.postgresql.org/docs/8.2/static/libpq-pgpass.html}, and ++we know MySQL has ++\elink{ .my.cnf}{http://dev.mysql.com/doc/refman/4.1/en/password-security.html}. ++ ++Only you can decide what is appropriate for your situation. We have provided ++you with a starting point. We hope it helps. ++ ++ + \label{BackingUPOtherDBs} + \section{Backing Up Third Party Databases} + \index[general]{Backing Up Third Party Databases } diff --git a/sysutils/bacula-doc/patches/patch-ac b/sysutils/bacula-doc/patches/patch-ac new file mode 100644 index 00000000000..a5cdd011709 --- /dev/null +++ b/sysutils/bacula-doc/patches/patch-ac @@ -0,0 +1,13 @@ +$NetBSD: patch-ac,v 1.1 2008/07/13 15:26:36 tonnerre Exp $ + +--- manual/pools.tex.orig 2007-01-05 18:20:41.000000000 +0100 ++++ manual/pools.tex +@@ -235,6 +235,8 @@ Job { + Messages = Standard + Pool = Default + # This creates an ASCII copy of the catalog ++ # WARNING!!! Passing the password via the command line is insecure. ++ # see comments in make_catalog_backup for details. + RunBeforeJob = "/home/bacula/bin/make_catalog_backup bacula bacula" + # This deletes the copy of the catalog + RunAfterJob = "/home/bacula/bin/delete_catalog_backup" diff --git a/sysutils/bacula-doc/patches/patch-ad b/sysutils/bacula-doc/patches/patch-ad new file mode 100644 index 00000000000..bc92e170885 --- /dev/null +++ b/sysutils/bacula-doc/patches/patch-ad @@ -0,0 +1,13 @@ +$NetBSD: patch-ad,v 1.1 2008/07/13 15:26:36 tonnerre Exp $ + +--- manual/postgresql.tex.orig 2007-01-05 18:20:41.000000000 +0100 ++++ manual/postgresql.tex +@@ -200,6 +200,8 @@ password in place, these two lines shoul + \begin{verbatim} + dbname = bacula; user = bacula; password = "secret" + ... and ... ++ # WARNING!!! Passing the password via the command line is insecure. ++ # see comments in make_catalog_backup for details. + RunBeforeJob = "/etc/make_catalog_backup bacula bacula secret" + \end{verbatim} + \normalsize diff --git a/sysutils/bacula-doc/patches/patch-ae b/sysutils/bacula-doc/patches/patch-ae new file mode 100644 index 00000000000..199f44ba844 --- /dev/null +++ b/sysutils/bacula-doc/patches/patch-ae @@ -0,0 +1,13 @@ +$NetBSD: patch-ae,v 1.1 2008/07/13 15:26:36 tonnerre Exp $ + +--- manual/strategies.tex.orig 2007-01-15 10:37:15.000000000 +0100 ++++ manual/strategies.tex +@@ -232,6 +232,8 @@ Job { + Messages = Standard + Pool = Default + # This creates an ASCII copy of the catalog ++ # WARNING!!! Passing the password via the command line is insecure. ++ # see comments in make_catalog_backup for details. + RunBeforeJob = "/usr/lib/bacula/make_catalog_backup -u bacula" + # This deletes the copy of the catalog, and ejects the tape + RunAfterJob = "/etc/bacula/end_of_backup.sh" diff --git a/sysutils/bacula/Makefile b/sysutils/bacula/Makefile index a7caa537a1f..dbf02d7b61b 100644 --- a/sysutils/bacula/Makefile +++ b/sysutils/bacula/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.26 2008/07/10 13:54:56 dmcmahill Exp $ +# $NetBSD: Makefile,v 1.27 2008/07/13 15:26:36 tonnerre Exp $ -PKGREVISION= 3 +PKGREVISION= 4 CONFLICTS+= bacula-client-[0-9]* bacula-clientonly-[0-9]* diff --git a/sysutils/bacula/distinfo b/sysutils/bacula/distinfo index 985ed3e2574..d1895deb934 100644 --- a/sysutils/bacula/distinfo +++ b/sysutils/bacula/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2008/07/10 13:54:56 dmcmahill Exp $ +$NetBSD: distinfo,v 1.29 2008/07/13 15:26:36 tonnerre Exp $ SHA1 (bacula-2.2.4/2.2.4-lost-block.patch) = d3b9f927100d148e831248b381c5b2543d215502 RMD160 (bacula-2.2.4/2.2.4-lost-block.patch) = ff24810e204324acc42dbaff0291a0fa02b56e21 @@ -28,6 +28,7 @@ SHA1 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 1fd8e75f231fb3a811696c05ea3c0c719c7528 RMD160 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 5005d5566f55a8feb8a7efa610cd60a3d92383af Size (bacula-2.2.4/bacula-2.2.4.tar.gz) = 3020298 bytes SHA1 (patch-aa) = c1e5ec7c3e78c125b9fbaba97190ead10adbc599 +SHA1 (patch-ab) = 24104c731532c00d2901ccd72f43b7184b006496 SHA1 (patch-ac) = 585f8a00fe7c0e6e8e4c0b91a0bd32bd2fb81c81 SHA1 (patch-ae) = 69db6d396bd1654b3065d693c5ea2c0afbb8bc61 SHA1 (patch-af) = 6ecbac39c156c81f30ba53b565f55ab5e876b3e0 @@ -35,4 +36,5 @@ SHA1 (patch-ag) = a2734446ac79380692dd5a2647928919c9b2f2b8 SHA1 (patch-ah) = 83b156ac18b64d19ea0022103c50c431f3b86b87 SHA1 (patch-ai) = 499a164fcf9e4fc466b691f91203b4293dcee7eb SHA1 (patch-aj) = df5eba3c80d36ecc26c6acb1566a4411c308b2f0 +SHA1 (patch-ak) = d2b751888edf23a696f347c65ab0f11e6a3829f9 SHA1 (patch-am) = 0b5b81543eb66ad191d94b59c986561e492a069d diff --git a/sysutils/bacula/patches/patch-ab b/sysutils/bacula/patches/patch-ab new file mode 100644 index 00000000000..6f645aabe7d --- /dev/null +++ b/sysutils/bacula/patches/patch-ab @@ -0,0 +1,26 @@ +$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $ + +--- src/cats/make_catalog_backup.in.orig 2007-04-24 17:36:15.000000000 +0200 ++++ src/cats/make_catalog_backup.in +@@ -8,7 +8,11 @@ + # $2 is the user name with which to access the database + # (default = bacula). + # $3 is the password with which to access the database or "" if no password +-# (default "") ++# (default ""). WARNING!!! Passing the password via the command line is ++# insecure and should not be used since any user can display the command ++# line arguments and the environment using ps. Please consult your ++# MySQL or PostgreSQL manual for secure methods of specifying the ++# password. + # $4 is the host on which the database is located + # (default "") + # +@@ -31,7 +35,7 @@ else + else + MYSQLHOST="" + fi +- ${BINDIR}/mysqldump -u $2$MYSQLPASSWORD$MYSQLHOST -f --opt $1 >$1.sql ++ ${BINDIR}/mysqldump -u ${2}${MYSQLPASSWORD}${MYSQLHOST} -f --opt $1 >$1.sql + else + if test xpostgresql = x@DB_TYPE@ ; then + if test $# -gt 2; then diff --git a/sysutils/bacula/patches/patch-ak b/sysutils/bacula/patches/patch-ak new file mode 100644 index 00000000000..09b4e85387e --- /dev/null +++ b/sysutils/bacula/patches/patch-ak @@ -0,0 +1,13 @@ +$NetBSD: patch-ak,v 1.3 2008/07/13 15:26:36 tonnerre Exp $ + +--- src/dird/bacula-dir.conf.in.orig 2007-05-27 21:30:39.000000000 +0200 ++++ src/dird/bacula-dir.conf.in +@@ -61,6 +61,8 @@ Job { + FileSet="Catalog" + Schedule = "WeeklyCycleAfterBackup" + # This creates an ASCII copy of the catalog ++ # WARNING!!! Passing the password via the command line is insecure. ++ # see comments in make_catalog_backup for details. + RunBeforeJob = "@scriptdir@/make_catalog_backup bacula bacula" + # This deletes the copy of the catalog + RunAfterJob = "@scriptdir@/delete_catalog_backup" |