On Sun, Nov 5, 2017 at 5:27 AM <[email protected]> wrote:
> Package: reportbug
> Version: 7.1.7
> Severity: grave
> Tags: security
> Justification: user security hole
> Dear team,
> When reportbug is used as a direct SMTP client , reporting user
> hostname , ip and username are leaked to the BTS.
well, that's how mail transport systems work
> Such information leak is not expected (and undesirable). That information
is
> passes under Message-ID (hash-reportbug@users-fqdn) and in the Received:
from
> section.
this is generated by a standard python function
reportbug/submit.py: message['Message-ID'] =
email.utils.make_msgid('reportbug')
> That Information is then made publicly available (under "full text") at
the
> BTS website.
> information can be accessible with the url -
https://bugs.debian.org/cgi-bin/
> bugreport.cgi?bug=$BUGID;msg=5
this is all expected.
what i think your report is missing is a concrete solution to address
whatever you think it wrong. if you cant provide anything, i'm afraid i'm
going to close this report, as i dont think any action is warranted.
Regards,
--
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi
