Bug#614302: marked as done (CVE-2011-0436: new users' unencrypted passwords emailed to site admin)

Debian Bug Tracking System Wed, 02 Mar 2011 17:57:20 -0800

Your message dated Thu, 03 Mar 2011 01:56:09 +0000
with message-id <e1puxlx-0000xe...@franck.debian.org>
and subject line Bug#614302: fixed in dtc 0.29.17-1+lenny1
has caused the Debian Bug report #614302,
regarding CVE-2011-0436: new users' unencrypted passwords emailed to site admin
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
614302: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614302
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: dtc-common
Version: 0.29.17-1
Severity: grave
Tags: upstream security

dtc sends the password of new users to the webmaster:

  $mail_content = "
  Somebody tried to register an account. Here is the details of
  the new user:

  login: ".$_REQUEST["reqadm_login"]."
  pass: ".$_REQUEST["reqadm_pass"]."
  [...]
  mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried 
to register an account", $mail_content, $headers);

(from client/new_account_form.php)

This mail is not encrypted.  I also don't see any reason why the
webmaster should even know the password...

Ansgar

--- End Message ---

--- Begin Message ---

Source: dtc
Source-Version: 0.29.17-1+lenny1

We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:

dtc-common_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-common_0.29.17-1+lenny1_all.deb
dtc-core_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-core_0.29.17-1+lenny1_all.deb
dtc-cyrus_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-cyrus_0.29.17-1+lenny1_all.deb
dtc-postfix-courier_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-postfix-courier_0.29.17-1+lenny1_all.deb
dtc-stats-daemon_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-stats-daemon_0.29.17-1+lenny1_all.deb
dtc-toaster_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-toaster_0.29.17-1+lenny1_all.deb
dtc_0.29.17-1+lenny1.diff.gz
  to main/d/dtc/dtc_0.29.17-1+lenny1.diff.gz
dtc_0.29.17-1+lenny1.dsc
  to main/d/dtc/dtc_0.29.17-1+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 614...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated dtc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Feb 2011 02:17:33 +0800
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon 
dtc-toaster
Architecture: source all
Version: 0.29.17-1+lenny1
Distribution: lenny-security
Urgency: low
Maintainer: Thomas Goirand <tho...@goirand.fr>
Changed-By: Thomas Goirand <z...@debian.org>
Description: 
 dtc-common - web control panel for admin and accounting hosting services (comm
 dtc-core   - web control panel for admin and accounting hosting services (fewe
 dtc-cyrus  - web control panel for admin and accounting hosting services (cyru
 dtc-postfix-courier - web control panel for admin and accounting hosting 
services (more
 dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
 dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 614302
Changes: 
 dtc (0.29.17-1+lenny1) lenny-security; urgency=low
 .
   * Fixes: CVE-2011-0434: SQL injection in bw_per_month.php graph
   * Fixes: CVE-2011-0435: Bandwidth information disclosure in bw_per_month.php
     graph.
   * Fixes: CVE-2011-0436: Passwords being emailed to the admin in clear text
     (Closes: #614302).
   * Fixes: CVE-2011-0437: Removed dangerous SQL old unused code for ssh
     accounts management.
Checksums-Sha1: 
 fa6ae9ca49bcf70f27397cf4b37ace0779f8aff7 1542 dtc_0.29.17-1+lenny1.dsc
 a4dea72f0586776160994ad12233fc02c121c3d5 11064929 dtc_0.29.17.orig.tar.gz
 4fabd2c27d20548f15bcc48cbf2137ba46c5b450 84014 dtc_0.29.17-1+lenny1.diff.gz
 75f9ed1a1bc5de2c0998dec1f32a66ba49319c3f 5012906 
dtc-common_0.29.17-1+lenny1_all.deb
 b3b22fea0ddc3087647517517d8bd702d6980f4a 69800 
dtc-core_0.29.17-1+lenny1_all.deb
 05c435c7242ab204839b0df79d8445867a791229 69920 
dtc-cyrus_0.29.17-1+lenny1_all.deb
 c39d5b5cfd200bcd7c02d7010b721f98450099a4 71442 
dtc-postfix-courier_0.29.17-1+lenny1_all.deb
 71907f23cb5a69ba600dba6239222218ab2bcf11 30630 
dtc-stats-daemon_0.29.17-1+lenny1_all.deb
 1e5da94d07d0c5f99ea6cb012ab6ef6f46a9fc7e 25226 
dtc-toaster_0.29.17-1+lenny1_all.deb
Checksums-Sha256: 
 aba0d22b2178aac8e7e1dbb95579b181285b0504470435680caa1f05b2aac30f 1542 
dtc_0.29.17-1+lenny1.dsc
 8a6f3ca68ee4f15f6deaa98e3ae65986d7fab077fa908d88833196fd80efe1eb 11064929 
dtc_0.29.17.orig.tar.gz
 b772dde3ff2b522963ca02ad9c51283fc54a0b05ed99150dfc3f6cc203ef00a4 84014 
dtc_0.29.17-1+lenny1.diff.gz
 4b1f556577b7ac26596296daa9f54ded460225595d7264b2acf5a797ae632179 5012906 
dtc-common_0.29.17-1+lenny1_all.deb
 5118c8fb6668e676c917291d229b4a255548b1abcc0e07f1a3c2a41a29cd4fd1 69800 
dtc-core_0.29.17-1+lenny1_all.deb
 31c9b3ca20cea964937c10c7377e57da8e8fd99f584a0b96ecf9f95881027799 69920 
dtc-cyrus_0.29.17-1+lenny1_all.deb
 a9ac8fa2411196b615c115f0aa6a3a5ee305de42680e80a3800c07737f643ee6 71442 
dtc-postfix-courier_0.29.17-1+lenny1_all.deb
 c7c753da6a041b1c5c92fc38cdf0cf8501436d221abd046b65ca5c6e51c8dbc8 30630 
dtc-stats-daemon_0.29.17-1+lenny1_all.deb
 7e68348918111a1c9e91ff4785ebc6e85a2a89ca20238c7cb94284790c0ad2bf 25226 
dtc-toaster_0.29.17-1+lenny1_all.deb
Files: 
 276c9ca22aa2beaa43d8bf5703b57524 1542 admin extra dtc_0.29.17-1+lenny1.dsc
 49d9991bdb46bceff8d2ea84896097eb 11064929 admin extra dtc_0.29.17.orig.tar.gz
 3cdea33b2c72fbfd541e4447b71dbb67 84014 admin extra dtc_0.29.17-1+lenny1.diff.gz
 3d103ffaa55e597ddba8f2374596d842 5012906 admin extra 
dtc-common_0.29.17-1+lenny1_all.deb
 1a6d2ff3f3885d5fccb9e1e35515c1d9 69800 admin extra 
dtc-core_0.29.17-1+lenny1_all.deb
 116cfb38f5fc02c94fc060aea17ed2a6 69920 admin extra 
dtc-cyrus_0.29.17-1+lenny1_all.deb
 b21856fa38e043e82480c479388070b0 71442 admin extra 
dtc-postfix-courier_0.29.17-1+lenny1_all.deb
 e4935159ee798325e601f98b89571474 30630 admin extra 
dtc-stats-daemon_0.29.17-1+lenny1_all.deb
 d3fca954b63dff3b12d9086eb58c6137 25226 admin extra 
dtc-toaster_0.29.17-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJNbqlxAAoJEL97/wQC1SS+twkH/3kqN9DGBFHQwtk2kpaSrqOv
v5JQU9DQnK20vK593xThbuPIwPhDOQdsvTNEobycT4cxmTEOeuAPGjc9kc2oJyQj
iOgYJSbXIgiaeDivjXW7YSjjbZPw/4QLfCrlu4hO12aUJ8IpUZ1qPoA1qoIWxjXt
Cb2v88k4jq3HGKxjLDP/bgaGg2TFnXyEL3JV5TiHYCZxI+4eZjXWQ6TfzsLcMqXx
ikjWhwssuIZIK0UCLrfQy+XpGPv48fgBv7Dtt9bS6AGRX9h1m3dSEfPa6S5CBB3h
06VC1d81F1uSlp8iVwbV2PMf7uWpSMmLKkop8ZopDSaLwZE5iyMWzLK5tGjknuk=
=8ljl
-----END PGP SIGNATURE-----

--- End Message ---

Bug#614302: marked as done (CVE-2011-0436: new users' unencrypted passwords emailed to site admin)

Reply via email to