[Secure-testing-team] Bug#568925: esmtp: configuration file world-readable
Rolf Leggewie
debian-bugs at rolf.leggewie.biz
Mon Feb 8 21:17:06 UTC 2010
Package: esmtp
Version: 0.6.0-1
Severity: critical
Tags: security
Justification: root security hole
The configuration file for esmtp is installed world-readable. This is a security
hole since it may contain user/password combinations for remote mail servers. This
is even likely to be generally the case.
I report this from my Ubuntu machine after checking the Debian Changelog did not
contain any reference to this being fixed. After looking at esmtp.postinst from
the Debian package I am also reasonably confident that this issue is still
present in the latest unstable package. Please accept my apologies should that
not be the case.
-- System Information:
Debian Release: squeeze/sid
APT prefers karmic-updates
APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-11-generic (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages esmtp depends on:
ii debconf [debconf-2.0] 1.5.27ubuntu2 Debian configuration management sy
ii libc6 2.10.1-0ubuntu16 GNU C Library: Shared libraries
ii libesmtp5 1.0.4-2 LibESMTP SMTP client library
Versions of packages esmtp recommends:
ii esmtp-run 0.6.0-1 User configurable relay-only MTA
Versions of packages esmtp suggests:
pn procmail | maildrop | deliver <none> (no description available)
-- debconf information excluded
More information about the Secure-testing-team
mailing list