[Secure-testing-team] Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
Aaron Schrab
aaron at schrab.com
Sat Aug 11 21:58:50 UTC 2012
Package: nullmailer
Version: 1:1.11-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
--- Please enter the report below this line. ---
Durint installation, this package uses debconf to get information about how
mail should be delivered, giving examples that show how to specify a password
for an SMTP account. This information is then saved to
/etc/nullmailer/remotes which is readable by any account on the system.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-3-amd64
Debian Release: wheezy/sid
500 unstable http.debian.net
--- Package information. ---
Depends (Version) | Installed
==============================-+-===============
libc6 (>= 2.4) | 2.13-35
libgnutls26 (>= 2.12.17-0) | 2.12.20-1
libstdc++6 (>= 4.1.1) | 4.7.1-6
debconf (>= 0.5) | 1.5.45
OR debconf-2.0 |
lsb-base | 4.1+Debian7
Recommends (Version) | Installed
================================-+-===========
rsyslog | 5.8.11-1+b1
OR system-log-daemon |
Package's Suggests field is empty.
More information about the Secure-testing-team
mailing list