-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2625-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta April 14, 2021 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : courier-authlib Version : 0.66.4-9+deb9u1 CVE ID : CVE-2021-28374 Debian Bug : 984810 The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash). For Debian 9 stretch, this problem has been fixed in version 0.66.4-9+deb9u1. We recommend that you upgrade your courier-authlib packages. For the detailed security status of courier-authlib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/courier-authlib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmB2j7sACgkQgj6WdgbD S5Zmcw//QDVlFN8atCWoGbp1yW+ZBD/fCJhriaGNhtgtcRh19YsI4Ti1ypvC5VOl n1dRIt+GMm6sOze4AvdchazL47jtgq77iyeTXtUxUPZirE+l8OcTx1lOgroP/z79 4K5HTvOleqLPFYNCWD13t2JgwKoaHkWrxq+aafL+71DcG82iwQrIjxW3KzoggJtP JHJTP9lRAAjP5N7gB2FQPH6WY8vKUsHlqIdOGvOmjfKtQOxHN78ZTHOlPUvyfVhU wzydNmHKDZo47J1mxBaKLML9JJIqJlGfXJ9PCxdPv6TpDYnSA7xSKjx4JAnuW+b7 hXbEVEMneyzkIEiW4pMwsxmIylNjMxWrGznyf/ihJwm3j9WxCJA7rO4OEnCbP/ca /qkTasZvfOtjwOB1MiXx3E7iOVUuyecX+ddk0nBznbBG814rkgcYO4k3FjSlvWcQ UyqObeBcpOiUhj5T1+LH9bRo9X8tG19QaIAGKmiePwKmV1M39ZWJttZ/PcMuLACc FStoxkLhL5AaJvDUuOwcFmxAYt0aL1uJJgoPp39SqD8jk9z5y9trAVooblZn2oob fHCf3qnKD0zuJS2qj0ssKWzB7aLKAgY4KadIQsH2lcH2/OBIEe8ZWKNSk/TIMbtQ RdZ+dnucjIyjZdfU6AXjaRYbOjQHlhHqkD4hE5C80WCLiVvMRfE= =Yqdx -----END PGP SIGNATURE-----
