Your message dated Sat, 15 Sep 2012 19:22:19 +0100
with message-id <[email protected]>
and subject line Re: Bug#687782: unblock: nullmailer/1:1.11-2
has caused the Debian Bug report #687782,
regarding unblock: nullmailer/1:1.11-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
687782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687782
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please would you unblock package nullmailer.
This fixes a security issue raised in bug #684619 whereby email auth
credentials for the remote host used by the daemon component were stored
in a world-readable file.
I have attached the debdiff.
There is also some discussion on the fix in #684679. I decided not to
make the change any more complex as new installers will now be adequately
protected anyway, and old installations (most of which won't be using
auth as it is a relatively new feature) will not be changed to the
surprise of sysadmins.
unblock nullmailer/1:1.11-2
Thanks
Nick Leverton
diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog
--- nullmailer-1.11/debian/changelog 2012-06-16 16:36:28.000000000 +0100
+++ nullmailer-1.11/debian/changelog 2012-08-21 09:01:40.000000000 +0100
@@ -1,3 +1,9 @@
+nullmailer (1:1.11-2) unstable; urgency=low
+
+ * Make 'remotes' not world-readable (Closes: #684619)
+
+ -- Nick Leverton <[email protected]> Tue, 21 Aug 2012 09:01:38 +0100
+
nullmailer (1:1.11-1) unstable; urgency=low
* New upstream release
diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst
--- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.000000000 +0100
+++ nullmailer-1.11/debian/postinst 2012-08-21 09:07:21.000000000 +0100
@@ -24,6 +24,15 @@
fi
db_get nullmailer/relayhost
+ # securely create nullmailer/remotes with mode 0600
+ if [ ! -e /etc/nullmailer/remotes ]
+ then
+ M=$( umask )
+ umask 077
+ > /etc/nullmailer/remotes
+ chown mail:mail /etc/nullmailer/remotes
+ umask $M
+ fi
echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \
-e 's/[[:space:]]*:[[:space:]]*/\n/g' \
-e ':b s/(\[[^]=]*)=/\1:/; tb' \
--- End Message ---
--- Begin Message ---
On Sat, 2012-09-15 at 19:09 +0100, Nick Leverton wrote:
> Please would you unblock package nullmailer.
>
> This fixes a security issue raised in bug #684619 whereby email auth
> credentials for the remote host used by the daemon component were stored
> in a world-readable file.
Already unblocked earlier when I saw the bug closure mail; thanks.
Regards,
Adam
--- End Message ---
