Your message dated Mon, 07 Dec 2020 12:20:44 +0000
with message-id <[email protected]>
and subject line Bug#966061: fixed in fusiondirectory 1.3-4
has caused the Debian Bug report #966061,
regarding Dovecot plugin stores master password in unprotected cleartext
attribute
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
966061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966061
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fusiondirectory
Version: 1.3-3
Severity: grave
Tags: security
Justification: user security hole
As reported in
https://github.com/fusiondirectory/fusiondirectory-plugins/issues/25
fusiondirectory stores the passwords for the Dovecot and Cyrus master
accounts in LDAP in cleartext, on custom attiributes that would be
exposed in an standard OpenLDAP installation.
There is no warning about this, nor any mention in the documentation.
Sadly, upstream seems hostile to the suggestion that this is a serious
security issue, and refuse to even document this behaviour. Personally,
I can't trust the software knowing this, but more importantly, there
might be tons of compromised systems out there.
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fusiondirectory depends on:
ii apache2 [httpd] 2.4.38-3+deb10u3
ii debconf [debconf-2.0] 1.5.71
ii fusiondirectory-smarty3-acl-render 1.3-3
ii gettext 0.19.8.1-9
ii javascript-common 11
ii libarchive-extract-perl 0.80-1
ii libcrypt-cbc-perl 2.33-2
ii libfile-copy-recursive-perl 0.44-1
ii libjs-prototype 1.7.1-3
ii libjs-scriptaculous 1.9.0-2
ii libnet-ldap-perl 1:0.6500+dfsg-1
ii libpath-class-perl 0.37-1
ii libterm-readkey-perl 2.38-1
ii libxml-twig-perl 1:3.50-1.1
ii openssl 1.1.1d-0+deb10u3
ii perl [libdigest-sha-perl] 5.28.1-6
ii php 2:7.3+69
ii php-cas 1.3.6-1
ii php-curl 2:7.3+69
ii php-fpdf 3:1.8.1.dfsg-2
ii php-gd 2:7.3+69
ii php-imagick 3.4.3-4.1
ii php-imap 2:7.3+69
ii php-ldap 2:7.3+69
ii php-mbstring 2:7.3+69
ii php-xml 2:7.3+69
ii php7.3 [php] 7.3.19-1~deb10u1
ii php7.3-cli [php-cli] 7.3.19-1~deb10u1
ii php7.3-curl [php-curl] 7.3.19-1~deb10u1
ii php7.3-gd [php-gd] 7.3.19-1~deb10u1
ii php7.3-imap [php-imap] 7.3.19-1~deb10u1
ii php7.3-ldap [php-ldap] 7.3.19-1~deb10u1
ii php7.3-mbstring [php-mbstring] 7.3.19-1~deb10u1
ii php7.3-xml [php-xml] 7.3.19-1~deb10u1
ii schema2ldif 1.3-3
ii smarty-gettext 1.6.1-1
ii smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1
fusiondirectory recommends no packages.
Versions of packages fusiondirectory suggests:
pn argonaut-server <none>
ii fusiondirectory-schema 1.3-3
ii slapd 2.4.47+dfsg-3+deb10u2
-- Configuration Files:
/etc/fusiondirectory/fusiondirectory-apache.conf changed [not included]
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: fusiondirectory
Source-Version: 1.3-4
Done: Mike Gabriel <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fusiondirectory, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated fusiondirectory
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 Dec 2020 12:25:31 +0100
Source: fusiondirectory
Architecture: source
Version: 1.3-4
Distribution: unstable
Urgency: medium
Maintainer: FusionDirectory Packagers <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 966061 975700 975704 975968
Changes:
fusiondirectory (1.3-4) unstable; urgency=medium
.
* debian/patches:
+ Add 2001_fd-location-in-apache-conf.patch. Fix application path in
Apache2's configuration snippet. (Closes: #975700).
* debian/control:
+ Allow co-installation with GOsa². Drop various Conflicts: fields.
(Closes: #975704).
+ Bump DH compat level to version 13.
+ Bump Standards-Version: to 4.5.1. No changes needed.
* debian/README.Debian:
+ Add section about security considerations. (Closes: #966061, #975968).
* debian/fusiondirectory-plugin-{dovecot,cyrus}.links:
+ Symlink fusiondirectory's README.Debian to docs folder of the dovecot and
the cyrus plugin (because of the security implicataions mentioned in
README.Debian).
* debian/examples:
+ Ship Kerberos hook scripts (cudos to Debian Edu).
* debian/fusiondirectory.examples:
+ Install Kerberos hook script examples to fusiondirectory bin:pkg.
* debian/NEWS.Debian:
+ Notify admins when upgrading their FusionDirectory about sensitive data
storage in LDAP.
Checksums-Sha1:
5559d0cbfff6c28a0999920e19888a7bd20d75c1 12654 fusiondirectory_1.3-4.dsc
267a83c011e3e7e2f3072430bbef57df7268b680 47072
fusiondirectory_1.3-4.debian.tar.xz
974af348e2bbaab6a0180a29444fe4a4d8b1b9d8 9802
fusiondirectory_1.3-4_source.buildinfo
Checksums-Sha256:
f1fd7dd639f4b02c9bd2d246a51f26a0c4b04e266897654e9217c24cd977f1d7 12654
fusiondirectory_1.3-4.dsc
e71a442d3cdf81c95e2de782676f0e2479289d8a5a1aa926a150b2f464ebee99 47072
fusiondirectory_1.3-4.debian.tar.xz
ddd977aaa7909d7c8abcbb209f6abcefa0a0f0cda9611bae6dc6ce05c3dda9df 9802
fusiondirectory_1.3-4_source.buildinfo
Files:
704d61f71da018af8227fbcc1c12e87b 12654 web optional fusiondirectory_1.3-4.dsc
ca65b9abeb66216b914cf13afcdc50e8 47072 web optional
fusiondirectory_1.3-4.debian.tar.xz
74c1504b2a0c8eb57da97dd2d6806d74 9802 web optional
fusiondirectory_1.3-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl/OGPIVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxhKEP/3jfdSlaNufBTdx5bQ04YriN6jQC
jr/f8v6reva+rHXyBiOXP1fU32Bopufp0+GQxrvMlSkhNBHYkvwMXpad4dW7Tqy8
DwAvoEVDgQZJazbUfTKyjtoPtsQ2pRZxpIhq7bGorfd7eYc07O5vrcg+z/6ponOz
snfhnLPJAZMREtlWrUHiR4/s8gkldGsJs6xDvv8z3+GsvcRWKyOdjA71Fc24XmF8
8syUOcmR2sQrqlhKGqBaqVML+6iARdet3LCGIyO1p5Jx+EEWV8WmzS2gCyxofWpG
MCDGNSMySk+jexvnvRmlJc7Tg5YpsexdEU6iAu5LU+SjRWdsRvsZVx+Se827xKIb
CC6d7uNFCw0xbajH8tY4qwLEDxR8ksUkfLmIhLSKcm/PJWgNNoT58sFPQqJX/JH6
ynjThjlpsru4po6u1U06CqTH+VBpyV4482+9SZKqPARBIL5f2MokxfryKf0v7Kui
HfeRwrs3wyx9wiM+DzS1yDVZFMMIc6Aa03bU1D2L9HNu0HnI63zGnHGqolmsPMmC
OPOYcaZ4vDzES406RkYyh696WeMI7p6eNOUSMDVazjmzYHOkwe2LaEOol2EXPesW
noXj/v8PNegcrTMg3q4jS/c2hZADX68BeVGgZhzCJ7eayCEs+mu6DhVWRygMhawI
FOWjYeFOfZcCr2k7
=S2Wy
-----END PGP SIGNATURE-----
--- End Message ---
