[pkg-fetchmail-maint] Bug#336096: marked as done ([sarge]
CVE-2005-3088 - password exposure in fetchmailconf)
Debian Bug Tracking System
owner at bugs.debian.org
Fri Jan 13 13:48:14 UTC 2006
Your message dated Fri, 13 Jan 2006 14:47:21 +0100
with message-id <20060113134721.GA27553 at ngolde.de>
and subject line (no subject)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Oct 2005 19:26:11 +0000
>From jmm at inutil.org Thu Oct 27 12:26:11 2005
Return-path: <jmm at inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EVDO7-0001PT-00; Thu, 27 Oct 2005 12:26:11 -0700
Received: from dslb-082-083-255-138.pools.arcor-ip.net ([82.83.255.138] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1EVDO5-0003X8-5A
for submit at bugs.debian.org; Thu, 27 Oct 2005 21:26:09 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.54)
id 1EVDOg-0001Rt-J2; Thu, 27 Oct 2005 21:26:46 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: CVE-2005-3088: Insecure file creation in fetchmailconf may expose sensitive
data
X-Mailer: reportbug 3.17
Date: Thu, 27 Oct 2005 21:26:46 +0200
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Message-Id: <E1EVDOg-0001Rt-J2 at localhost.localdomain>
X-SA-Exim-Connect-IP: 82.83.255.138
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: fetchmail
Version: 6.2.5-18
Severity: normal
Tags: security
A minor security problem has been found in fetchmailconf; insecure file
creation may expose sensitive data such as password information. Please
see http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt for details.
This has been assigned CVE-2005-3088, please mention so in the changelog
when fixing this.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Versions of packages fetchmail depends on:
ii adduser 3.77 Add and remove users and groups
ii base-files 3.1.9 Debian base system miscellaneous f
ii debianutils 2.15 Miscellaneous utilities specific t
ii libc6 2.3.5-7 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
Versions of packages fetchmail recommends:
ii ca-certificates 20050804 Common CA Certificates PEM files
-- no debconf information
---------------------------------------
Received: (at 336096-done) by bugs.debian.org; 13 Jan 2006 13:47:22 +0000
>From nico at ngolde.de Fri Jan 13 05:47:22 2006
Return-path: <nico at ngolde.de>
Received: from natnoddy.rzone.de ([81.169.145.166])
by spohr.debian.org with esmtp (Exim 4.50)
id 1ExPH0-0006Tf-Hy
for 336096-done at bugs.debian.org; Fri, 13 Jan 2006 05:47:22 -0800
Received: from ngolde.de (e178103198.adsl.alicedsl.de [85.178.103.198])
by post.webmailer.de (8.13.1/8.13.1) with ESMTP id k0DDlKwE028208
for <336096-done at bugs.debian.org>; Fri, 13 Jan 2006 14:47:20 +0100 (MET)
Received: by ngolde.de (Postfix, from userid 1000)
id 04B56530005; Fri, 13 Jan 2006 14:47:21 +0100 (CET)
Date: Fri, 13 Jan 2006 14:47:21 +0100
From: Nico Golde <nico at ngolde.de>
To: 336096-done at bugs.debian.org
Message-ID: <20060113134721.GA27553 at ngolde.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e"
Content-Disposition: inline
X-Editor: VIM - Vi IMproved 6.4 (2005 Oct 15, compiled Dec 23 2005 00:53:36)
X-Mailer: Mutt-ng http://www.muttng.org
X-Operating-System: Debian GNU/Linux sid
X-My-Homepage: http://www.ngolde.de
User-Agent: mutt-ng/devel-r556 (Debian)
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_00,NOSUBJECT
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
I think this bug has been fixed with the latest upload of=20
fetchmail-6.3.1-1.
Regards Nico
--=20
Nico Golde - JAB: nion at jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDx69pHYflSXNkfP8RApa5AJ947/2hehm0Uboj/TpUwLz04hUCXQCgjCO0
mUBEQiP3fVBXaK0sFOJNkco=
=S4Bc
-----END PGP SIGNATURE-----
--cNdxnHkX5QqsyA0e--
More information about the pkg-fetchmail-maint
mailing list