On 13-11-2020 08:18, Georgi Guninski wrote:
Some more exploit vectors from the FD list:
https://seclists.org/fulldisclosure/2020/Nov/13
Partial results:
1. mutt (text email client) exposes ~/.mutt/muttrc,
which might contain the imap password in plaintext.
Interesting find. Please report this to the mutt package maintainer
using reportbug[1].
2. Some time ago on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.
As Giacomo already explained, there is nothing an OS can do to stop the
insecure behavior of its users.
3. Anything created by EDITOR NEWFILE is readable, unless the directory
prevents. This include root doing EDITOR /etc/NEWFILE
Yes, that is indeed the default. If you don't like it, you can change
the system umask in /etc/login.defs or /etc/profile
Somehow I get the feeling you are using debian-security@lists.debian.org
to report a security issues with Debian. This is however just a
discussion mailing list about Debian security. If you wish to report a
serious security issue (which I did not find in your E-mails) you need
to contact the Debian Security Team[2].
Kind regards,
Richard
[1]: https://wiki.debian.org/reportbug
[2]: https://www.debian.org/security/faq#contact