[debian-edu-commits] r80487 - branches/wheezy/debian-edu-config/debian

pere at alioth.debian.org pere at alioth.debian.org
Mon Jun 10 08:10:22 UTC 2013 

Author: pere
Date: 2013-06-10 08:10:21 +0000 (Mon, 10 Jun 2013)
New Revision: 80487

Modified:
   branches/wheezy/debian-edu-config/debian/changelog
   branches/wheezy/debian-edu-config/debian/debian-edu-config.postinst
Log:
Add postinst code to purge the leftover passwords from the debconf
database when debian-edu-config is upgraded from a vulnerable
version (Closes: #711251).

Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog	2013-06-10 08:03:57 UTC (rev 80486)
+++ branches/wheezy/debian-edu-config/debian/changelog	2013-06-10 08:10:21 UTC (rev 80487)
@@ -1,3 +1,11 @@
+debian-edu-config (1.707~svn80486) UNRELEASED; urgency=low
+
+  * Add postinst code to purge the leftover passwords from the debconf
+    database when debian-edu-config is upgraded from a vulnerable
+    version (Closes: #711251).
+
+ -- Petter Reinholdtsen <pere at debian.org>  Mon, 10 Jun 2013 10:08:08 +0200
+
 debian-edu-config (1.706) unstable; urgency=low
 
   * Uploaded to the Debian Edu archive as debian-edu-config 1.706~svn80452:

Modified: branches/wheezy/debian-edu-config/debian/debian-edu-config.postinst
===================================================================
--- branches/wheezy/debian-edu-config/debian/debian-edu-config.postinst	2013-06-10 08:03:57 UTC (rev 80486)
+++ branches/wheezy/debian-edu-config/debian/debian-edu-config.postinst	2013-06-10 08:10:21 UTC (rev 80487)
@@ -2,6 +2,47 @@
 
 set -e
 
+running_from_di() {
+    # Look for file created by base-installer and removed at the end
+    # of the d-i run.
+    [ -e /etc/apt/apt.conf.d/00IgnoreTimeConflict ]
+}
+
+# This block must be done on upgrades before debconf is enabled, and
+# not when the upgrade is done from within d-i.
+if [ ! "$DEBIAN_HAS_FRONTEND" ] && [ "$1" = configure ] && [ -n "$2" ] && \
+    ! running_from_di ; then
+    # Purge clear text passwords left over from the installation from
+    # debconf templates.dat and templates.dat-old (BTS #711251).
+    # Calling debconf-set-selections twice to also purge it from
+    # templates.dat-old.
+    clearpwd=false
+    for template in \
+	debian-edu-config/kdc-password \
+	debian-edu-config/kdc-password-again \
+	debian-edu-config/ldap-password-again \
+	debian-edu-config/ldap-password \
+	debian-edu-config/first-user-password ; do
+	if [ -n "$(perl -MDebconf::Db -MDebconf::Template -e "Debconf::Db->load; my \$template = Debconf::Template->get('$template'); print \$template->default || \$template->value;")" ]; then
+	    clearpwd=true
+	fi
+    done
+    wipepwdsfromdebconf() {
+	cat <<EOF | debconf-set-selections
+debian-edu-config debian-edu-config/kdc-password password
+debian-edu-config debian-edu-config/kdc-password-again password
+debian-edu-config debian-edu-config/ldap-password password
+debian-edu-config debian-edu-config/ldap-password-again password
+debian-edu-config debian-edu-config/first-user-password password
+EOF
+    }
+    if $clearpwd ; then
+	echo "info: Found clear text passwords in debconf database.  Wiping them."
+	wipepwdsfromdebconf
+	wipepwdsfromdebconf
+    fi
+fi
+
 # Enable debconf
 . /usr/share/debconf/confmodule

More information about the debian-edu-commits mailing list