Package: roundcube-plugins Version: 0.9.5-1~bpo70+1 Severity: important
Dear Debian folks, it’s not a direct issue, but people copying over the example file, get a world readable file, which is not a good idea, if passwords for databases are stored in them. # ls -lh /etc/roundcube/plugins/password/config.inc.php -rw-r--r-- 1 root root 127 Nov 3 19:28 /etc/roundcube/plugins/password/config.inc.php # cp -a /usr/share/roundcube/plugins/password/config.inc.php.dist /etc/roundcube/plugins/password/config.inc.php # ls -lh /etc/roundcube/plugins/password/config.inc.php -rw-r--r-- 1 root root 14K Oct 21 19:39 /etc/roundcube/plugins/password/config.inc.php For example the database password is stored in the variable below. $rcmail_config['password_db_dsn'] One could argue that the user/administrator should take care of that but a note in the empty configuration file would be helpful so that this is not overlooked. No idea if you can think of other ways. Thanks, Paul
signature.asc
Description: This is a digitally signed message part