[DRE-maint] Bug#964759: redmine: insecure account with well-known password

Soren Stoutner soren at debian.org
Tue Feb 11 20:10:47 GMT 2025 

Andrius,

I realized that the previous email I sent to this bug did not expressly copy the submitter, so 
you might not have seen it unless you were subscribed to the bug.  Please see the text of 
the original email below:


Thank you for submitting this bug report with the associated patch.  I am 
sorry it took four years for anyone to respond to it.

In some ways, I find your solution elegant.  But I am uncertain how it would 
interact with setting up multiple instances.  And I am also uncertain that it 
is a problem that needs fixing, in the sense that by default no instance is 
reachable when Redmine is first installed.

If an admin has concerns that a new instance could be hacked before he can 
change the default admin password, then he can simply constrict the example 
Apache config files to only expose the new instance to a browser he controls 
during the initial setup, like localhost or a specific IP address.  
Alternately, it looks like it should be possible to change the default admin 
password via the command line before any instance is ever exposed via a manual 
apache configuration.

https://stackoverflow.com/questions/30655292/is-there-a-rake-command-to-reset-a-redmine-admin-password

I have not yet tested any of these commands, but if it is a concern that the 
default instance initially exposes a default password, perhaps we should add a 
list of commands to README.Debian a user can run to change the password before 
setting Apache to serve up the Redmine instance.

-- 
Soren Stoutner
soren at debian.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20250211/17a3b83b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20250211/17a3b83b/attachment-0001.sig>

More information about the Pkg-ruby-extras-maintainers mailing list