Your message dated Tue, 24 Nov 2009 03:47:44 +0000
with message-id <[email protected]>
and subject line Bug#500454: fixed in ssmtp 2.64-1
has caused the Debian Bug report #500454,
regarding ssmtp: AuthUser/AuthPass visible to all users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
500454: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500454
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ssmtp
Version: 2.62-1
Severity: important
Because ssmtp is run by the user invoking sendmail, its config file is
required to be readable. However, this results in disclosure of the
username/password used for SMTP AUTH on the relaying mail server.
Please consider fixing this.
Example methods:
Add an ssmtp group, change the ownership and permissions of /etc/ssmtp/*
to root:ssmtp 0640 or 0660, and make ssmtp/sendmail root:ssmtp and
setgid so that when run by a user, it runs as group ssmtp and gets
permission to read the file; the user won't ever have permission to
read. You could also use the existing "mail" group, if appropriate.
You could also do this using setuid to root or a ssmtp user, but this is
unnecessary and has potential security implications that a simple setgid
change would not.
This won't require any code changes; it's simply an
ownership/permissions tweak.
Thanks,
Roger
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.26-1-powerpc
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ssmtp depends on:
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libgnutls26 2.4.1-1 the GNU TLS library - runtime libr
ssmtp recommends no packages.
ssmtp suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: ssmtp
Source-Version: 2.64-1
We believe that the bug you reported is fixed in the latest version of
ssmtp, which is due to be installed in the Debian FTP archive:
ssmtp_2.64-1.debian.tar.bz2
to main/s/ssmtp/ssmtp_2.64-1.debian.tar.bz2
ssmtp_2.64-1.dsc
to main/s/ssmtp/ssmtp_2.64-1.dsc
ssmtp_2.64-1_amd64.deb
to main/s/ssmtp/ssmtp_2.64-1_amd64.deb
ssmtp_2.64.orig.tar.bz2
to main/s/ssmtp/ssmtp_2.64.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[email protected]> (supplier of updated ssmtp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 24 Nov 2009 14:21:52 +1100
Source: ssmtp
Binary: ssmtp
Architecture: source amd64
Version: 2.64-1
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Anibal Monsalve Salazar <[email protected]>
Description:
ssmtp - extremely simple MTA to get mail off the system to a mail hub
Closes: 500454 557725 557741
Changes:
ssmtp (2.64-1) unstable; urgency=low
.
* New upstream version
Delete 02-397149-amd64-crammd5.patch (merged)
* Source package format is 3.0 (quilt)
* Fix out-of-date-standards-version
* Fix malformed-prompt-in-templates
* Fix no-homepage-field
* Add 02-557725-solaris.patch by Darik Horn to make ssmtp compatible
with Solaris 11. Closes: 557725
* Add 03-557741-remote-addr.patch by Victor Sudakov to insert the X-
Originating-IP header. Closes: 557741
* Make AuthUser/AuthPass not visible to all users. Closes: 500454
Checksums-Sha1:
20151358ae63e9d3c5c9a2ee456b6fb794ab4b6d 1185 ssmtp_2.64-1.dsc
db0cc6b4f82ab8b4c79335933db9c4db706324d1 52501 ssmtp_2.64.orig.tar.bz2
dbc9c6fe2c2c9913d1262e4704c7bb52470b575e 32502 ssmtp_2.64-1.debian.tar.bz2
040bc53b079952e828a26e20a2fa6daf35ff85d9 49596 ssmtp_2.64-1_amd64.deb
Checksums-Sha256:
4ec87c817a1a2ee1c98207a27a4ad11caa8ae386778be7dbaccd1aae517e5c9a 1185
ssmtp_2.64-1.dsc
22c37dc90c871e8e052b2cab0ad219d010fa938608cd66b21c8f3c759046fa36 52501
ssmtp_2.64.orig.tar.bz2
7854b17dbecbaf17d949c5ba6a5b057fc9cc1e2ca5473082b683ca6aaa333f69 32502
ssmtp_2.64-1.debian.tar.bz2
1e7e62765eef693118a240f0c450310dd4d91b1170e9230c9a9d3756882f9039 49596
ssmtp_2.64-1_amd64.deb
Files:
c3e36604b73a0a6222498a00c9d6300d 1185 mail extra ssmtp_2.64-1.dsc
65b4e0df4934a6cd08c506cabcbe584f 52501 mail extra ssmtp_2.64.orig.tar.bz2
90e2ae49b4befbd3b30f3574a1796962 32502 mail extra ssmtp_2.64-1.debian.tar.bz2
c6f6e678c89d8e08d727557edbdd6e61 49596 mail extra ssmtp_2.64-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksLVbcACgkQgY5NIXPNpFXnrwCfZ07sKvct+80KWJ3voQHnmNG8
zeYAniasiDu94esWBYO6ZcoV0wZCQYo3
=a0eV
-----END PGP SIGNATURE-----
--- End Message ---
