[DRE-maint] Bug#964759: redmine: insecure account with well-known password
merkys at debian.org
merkys at debian.org
Fri Jul 10 07:46:45 BST 2020
Package: redmine
Severity: important
Forwarded: https://salsa.debian.org/ruby-team/redmine/-/merge_requests/3
Tags: patch security
Hello,
Upon installing, Redmine is configured with an admin Web account with
well-known password "admin". This is insecure, as anyone with Web access
is able to access the admin account right after the Redmine Web service
becomes live. I think Debian packages must not expose interfaces
accessible with well-known passwords.
I propose a Debian-only patch [1] to set a random password in postinst
script, and store it in a plaintext in a root-only readable location.
This should mitigate the security issue.
[1] https://salsa.debian.org/ruby-team/redmine/-/merge_requests/3
Best,
Andrius
More information about the Pkg-ruby-extras-maintainers
mailing list