Your message dated Mon, 08 Mar 2021 22:33:29 +0000 with message-id <[email protected]> and subject line Bug#984810: fixed in courier-authlib 0.71.1-2 has caused the Debian Bug report #984810, regarding courier-authlib: authtest can access user data information from normal users accoun to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 984810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984810 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: courier-authlib Version: 0.71.0-1 Tags: upstream security buster stretch bullseye Justification: user security hole Severity: grave Usertags: security The /usr/sbin/auth is a program that can test from a installation setup if authlib daemon are working without the complete courier suite installed (for cluster or distributed environment as i made it) Currently as normal user, it can be accessed to users database if we setup mysql, postgres or sqlite, inclusively ldap setups.. i mean, a limited account can query users mail data to made some kind of attack This information is reveal from DB: serveruno:$ authtest test Authentication succeeded. Authenticated: test (uid 244, gid 244) Home Directory: /home/users/intranetusers/test Maildir: /home/users/intranetusers/test/Maildir Quota: (none) Encrypted Password: {MD5RAW}34ca4238a0b923820dcc509a6f75849b Cleartext Password: 1 Options: (none) Of course clear password is a good practice do not store .. but in intranets and corporate environments knowed password are mandatory due management of users.. In any case, this information is too open, We used the authpasswd to check users db setup is working on changes and upgrades For this upgrade from a stable installation to proper test lasted version before send this report, the problem is present in all the versions of debian packaged I asked to upstream but is so obvious this problem so i send to Debian,a sense solution is limit the access to program (what i do): chmod 750 /usr/sbin/authtest chown courier:root /usr/sbin/authtest i already ask to upstream but i dont know what SAm will think about it! ADDITIONAL NOTE: the package that own the program is authlib.. this is completely wrong.. cos important setup is not retrieved by reportbug like the authdaemon setup files modified.. the /usr/sbin/authenumerate /usr/sbin/authpasswd and /usr/sbin/authtest must belong to authdaemon (to make sense) Kernel: Linux 5.10.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages courier-authlib depends on: ii adduser 3.118 ii libc6 2.31-9 ii libgcc-s1 10.2.1-6 ii libgdbm6 1.19-2 ii libltdl7 2.4.6-15 ii libpam0g 1.4.0-6 ii libstdc++6 10.2.1-6 Versions of packages courier-authlib recommends: pn expect <none> courier-authlib suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: courier-authlib Source-Version: 0.71.1-2 Done: Markus Wanner <[email protected]> We believe that the bug you reported is fixed in the latest version of courier-authlib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Wanner <[email protected]> (supplier of updated courier-authlib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 08 Mar 2021 23:11:08 +0100 Source: courier-authlib Architecture: source Version: 0.71.1-2 Distribution: unstable Urgency: medium Maintainer: Markus Wanner <[email protected]> Changed-By: Markus Wanner <[email protected]> Closes: 984810 984818 Changes: courier-authlib (0.71.1-2) unstable; urgency=medium . * Tighten permissions on /run/courier/authdaemon. Closes: #984810. * Correct init script to be idempotent. Closes: #984818. * Move binaries autpasswd, authtest, and authenumerate from courier-authlib to courier-authdaemon. They require the daemon to run and are useless without it. Checksums-Sha1: 5e2c428da50c14298afd501ed77145ce3a69ba26 3754 courier-authlib_0.71.1-2.dsc 125faa2b63e0c8c69c02d54e0e706be16a10fba0 18240 courier-authlib_0.71.1-2.debian.tar.xz 0911846994e6ab59940b02fd2b51b062983b5b39 8928 courier-authlib_0.71.1-2_source.buildinfo Checksums-Sha256: bccf640911e0213ea89bc63bcc33fe3300d3fd346b842a0abf595a1d5de4e2b5 3754 courier-authlib_0.71.1-2.dsc cf5950cfaca97784373d727d7f2af9cada17b2da1cc72ca46387313d6c0b27a9 18240 courier-authlib_0.71.1-2.debian.tar.xz b7624e88945e810394273c49182526d06cf244c4c84b5448edc35447cfe6ffac 8928 courier-authlib_0.71.1-2_source.buildinfo Files: e07d8e21e98c735c213d70d9f2efb61f 3754 mail optional courier-authlib_0.71.1-2.dsc 0e73325fe7aedb485a8d8eb0daab979a 18240 mail optional courier-authlib_0.71.1-2.debian.tar.xz cbf3d46c08cfed45221661b8484b86d8 8928 mail optional courier-authlib_0.71.1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEE7WdiNgeE4zHiUwPWAlr+layd8xsFAmBGoTYACgkQAlr+layd 8xtiFSAAlam1QUhPpI4LPy3cRPt26Hc556rWhWj1MYK0sjXVPX1lbv2HLEfuR151 7Kx6SilYXvprYPYt8gODzUJGGS5UqdbTf747zfRd92jJm+qspztZiKAU1Wil4IWK KlCK36oKusKwF4/PFqcQzqmPTnp+Xd9srvIvrioRxswUevGmhjRyNdMzsMJbOZWL fF6gVABTVgnXugHQbiVQYKTGRNnWIQ6c1Q8WWuuefkq/gMlfjVfl4GDDkSJuXk0A dgk6GoINIXzWe6WJvOghu82wngKi9scDPsDRna38ZEkLjYKhS15BRR4c9+/U/RXH +XRpygF5LOvg8gjbenO+2+Ac6N3c00tL4+ZbGp24BlB7Ay8DjyqB7CtLrNUZl3/U Yr8GlsSFG+msxgkluUYrusWjz97difmrfdGXKZFzTN9xcr8FPSR6oC5MAZLX4+Oz D9s7lg43RaT4h7YN5R6htnuf4NHlJpOH0nMO2Z3izVROXlrEEozyX3mTKmYRWAYa X9+nxXppgfIbWyZBJKi+NcmgL8Oveaf+V0ioYIh3vRXZ601SGwpCgQI+zo3Jf9Hh xuoUv+5p9OK1ssoeRXZKKmHI2UDacwlHPbuPX4GzoYZvQr8YF514qpglifC+dLTN hhaUGUSY5FcWOA7hyKGSl+8rZreXdQr6cPbXFBolugGx9bc4Wotiz1Ql4XmDqnrt ptwHzx7RXoRz2hvFvYB9GxdnHNbgOiw05TZglX2twSe2Rt2BzBkJE4gcqyawtx2s MTJ+nTjPEQtb3cBNFDkkUlOEfqCA0akVL4lGSpB2UHiXX7l5PD0OBhavBW8yJhYa RZdDRLmj0e4STZb9BB0d5wYytpXCxJECWr6h1rB3BPz0jd0nKCXdTydwX1TUHnk5 CAAaTahtGj7qwfMA4vyvs2CQ/LFHXr9NSXrFumOYZkj3IlmkJsFp+NVBGESyQvzO 5yeabblXKsYy+N8hOrOswRjklAj9va0v7Yxk/OozWy9ztd0WcwscvoK3qEM/CFm2 TnuasVOo3pcHHAk7rrotER2HSs6WbMqmkHzYGEMc/ooi7Tul/cIkZby3nj/xK6CM WgKDsGcfgI9Cn30qEr/2PYsF+A9NnoRfU7dKanyupNl96oZvV7cn0VlNaiBl68VA dwuq4xR79JyMvq3SCMGH/lyKfmxmFKXlr39odI/BO0Cpuh24kWAKPyHcklopLLEZ LdBEEkM7KgFS2r/BdnoohpRnDVO7ldeL5WP87QFvFLbItS0cl4pM8D1iR9F4wp/S snZxqkkwtns3EAtKBeqMVnHSh1sMIBruFEdUOzeDrK5kP2oyp3vvue/XRc4XgM+j ZuANgnHkoply3uRi8L0Tuab7l8X5Uw== =HVVN -----END PGP SIGNATURE-----
--- End Message ---

