[pkg-fetchmail-maint] Bug#336096: marked as done (CVE-2005-3088:
Insecure file creation in fetchmailconf may expose sensitive data)
Debian Bug Tracking System
owner at bugs.debian.org
Tue Nov 15 18:33:26 UTC 2005
Your message dated Tue, 15 Nov 2005 10:17:36 -0800
with message-id <E1Ec5NA-00025E-6F at spohr.debian.org>
and subject line Bug#336096: fixed in fetchmail 6.2.5.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Oct 2005 19:26:11 +0000
>From jmm at inutil.org Thu Oct 27 12:26:11 2005
Return-path: <jmm at inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EVDO7-0001PT-00; Thu, 27 Oct 2005 12:26:11 -0700
Received: from dslb-082-083-255-138.pools.arcor-ip.net ([82.83.255.138] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1EVDO5-0003X8-5A
for submit at bugs.debian.org; Thu, 27 Oct 2005 21:26:09 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.54)
id 1EVDOg-0001Rt-J2; Thu, 27 Oct 2005 21:26:46 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: CVE-2005-3088: Insecure file creation in fetchmailconf may expose sensitive
data
X-Mailer: reportbug 3.17
Date: Thu, 27 Oct 2005 21:26:46 +0200
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Message-Id: <E1EVDOg-0001Rt-J2 at localhost.localdomain>
X-SA-Exim-Connect-IP: 82.83.255.138
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: fetchmail
Version: 6.2.5-18
Severity: normal
Tags: security
A minor security problem has been found in fetchmailconf; insecure file
creation may expose sensitive data such as password information. Please
see http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt for details.
This has been assigned CVE-2005-3088, please mention so in the changelog
when fixing this.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Versions of packages fetchmail depends on:
ii adduser 3.77 Add and remove users and groups
ii base-files 3.1.9 Debian base system miscellaneous f
ii debianutils 2.15 Miscellaneous utilities specific t
ii libc6 2.3.5-7 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
Versions of packages fetchmail recommends:
ii ca-certificates 20050804 Common CA Certificates PEM files
-- no debconf information
---------------------------------------
Received: (at 336096-close) by bugs.debian.org; 15 Nov 2005 18:21:24 +0000
>From katie at ftp-master.debian.org Tue Nov 15 10:21:24 2005
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Ec5NA-00025E-6F; Tue, 15 Nov 2005 10:17:36 -0800
From: Loic Minier <lool at dooz.org>
To: 336096-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#336096: fixed in fetchmail 6.2.5.4-1
Message-Id: <E1Ec5NA-00025E-6F at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Tue, 15 Nov 2005 10:17:36 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: fetchmail
Source-Version: 6.2.5.4-1
We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive:
fetchmail-ssl_6.2.5.4-1_all.deb
to pool/main/f/fetchmail/fetchmail-ssl_6.2.5.4-1_all.deb
fetchmail_6.2.5.4-1.diff.gz
to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.diff.gz
fetchmail_6.2.5.4-1.dsc
to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.dsc
fetchmail_6.2.5.4-1_i386.deb
to pool/main/f/fetchmail/fetchmail_6.2.5.4-1_i386.deb
fetchmail_6.2.5.4.orig.tar.gz
to pool/main/f/fetchmail/fetchmail_6.2.5.4.orig.tar.gz
fetchmailconf_6.2.5.4-1_all.deb
to pool/main/f/fetchmail/fetchmailconf_6.2.5.4-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 336096 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Loic Minier <lool at dooz.org> (supplier of updated fetchmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 15 Nov 2005 18:53:37 +0100
Source: fetchmail
Binary: fetchmailconf fetchmail-ssl fetchmail
Architecture: source i386 all
Version: 6.2.5.4-1
Distribution: unstable
Urgency: high
Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint at lists.alioth.debian.org>
Changed-By: Loic Minier <lool at dooz.org>
Description:
fetchmail - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
fetchmail-ssl - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
fetchmailconf - fetchmail configurator
Closes: 288063 314509 321272 323637 330522 336096
Changes:
fetchmail (6.2.5.4-1) unstable; urgency=high
.
[ Lucas Wall ]
- pidfile checking in init.d script (closes: #323637).
.
[ Nico Golde ]
- Only create fetchmail user if it doesn't exist (closes: #330522,#321272).
- respect the permissions of fetchmail home.
- rebuild against latest openssl version.
- removed deletion of /etc/fetchmailrc,
see statement in BTS. (closes: #288063).
- adjusted legal notes (Thanks Marc Brockschmidt for the hint).
.
[ Loic Minier ]
* New upstream stable releases.
- Fix password exposure in fetchmailconf: use umask 077 before opening
output file and restore umask later. (Closes: #336096)
This is CVE-2005-3088.
- Drop 01pop3sec.dpatch, included upstream.
- Fix IMAP timeouts, counting message count down on servers that do not
send EXISTS counts after EXPUNGE. (Closes: #314509)
- Unlist spanish translation patch for now, as the spanish translation was
completely destroyed upstream.
* Add myself to Uploaders.
Files:
6e5f306aed047dc28e87bf7651357ebe 858 mail optional fetchmail_6.2.5.4-1.dsc
16af4db00e200445a55e6f7a9a267649 1275624 mail optional fetchmail_6.2.5.4.orig.tar.gz
5b6d534009350e90a5fd0cfa432cf30e 79388 mail optional fetchmail_6.2.5.4-1.diff.gz
93f0fb1c89dc716a7f28c874535faabf 104398 mail optional fetchmailconf_6.2.5.4-1_all.deb
48c68a538716d9ab63db700f15f0dd1a 45070 mail optional fetchmail-ssl_6.2.5.4-1_all.deb
68e50437e01725fccee667763ac2573e 290118 mail optional fetchmail_6.2.5.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDeiIJ4VUX8isJIMARAtgNAJoDdUQpIE08bCigJ/8jSW8TT1rh7wCfYCDb
SIKaKIeMQQ9TUY+Y0GKzY/Y=
=uedC
-----END PGP SIGNATURE-----
More information about the pkg-fetchmail-maint
mailing list