Package: tinyca Version: 0.7.5-2 Severity: normal
I saw that tinyca publicly exports entered passwords to all local users when it calls openssl: -passin env:SSLPASS obviously, tinyca should use a per-user method to pass the password, such as a file, or a file descriptor (best), not env variabels which are visible for all local users. -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages tinyca depends on: ii libgtk2-perl 1:1.190-1 Perl interface to the 2.x series o ii liblocale-gettext-perl 1.05-4 Using libc functions for internati hi openssl 0.9.8g-15+lenny1 Secure Socket Layer (SSL) binary a Versions of packages tinyca recommends: ii zip 2.32-1 Archiver for .zip files tinyca suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org