[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#557948: Severity of 557948 and plans for this bug

On Mon, 22 Mar 2010, Don Armstrong wrote:
> On Thu, 04 Mar 2010, Aníbal Monsalve Salazar wrote:
> > On Mon, Mar 01, 2010 at 03:49:08PM -0800, Don Armstrong wrote:
> > >Do you expect the ctte to override the severity or demand a specific
> > >fix? The former can be done, but the latter will (almost certainly)
> > >require a patch before that happens.
> > 
> > I plan to fix it later in the evening.
> Anibal: what's the current status of this? Can we assume that the
> underlying issue will be resolved shortly?

I haven't heard from Anibal, and I don't see any public progress
regarding this; I think we may need to actually address the severity
of this bug. [At any point, if it gets fixed, it'll obviate our

ssmtp requires access to configuration files which may contain
authentication information necessary to connect to remote mail

As such, these files should not be readable by normal users, but
ideally only ssmtp (or possibly users who are authorized to send
outgoing mail.)

Currently, these files are root:mail 640, and the configuration
requests that users be added to the mail group to be able to send
mail. Unfortunatly, this ends up in the users in this group being able
to read and write to all mail spools by default.

We have the following options if we want to just decide the severity:

1. The package must not be released with this bug; it should have a
severity of at least serious.

2. The package can be released with this bug; it does not need a
severity of serious or greater. The maintainer can elevate the

3. Further discussion

I'd like to at least resolve this part of the bug by calling for a
vote in the next 48 hours. I think that we can actually discuss a fix
for this bug later if the maintainer (or someone who uses ssmtp who
wants to submit a patch) has any questions after that fact.

Don Armstrong

Clothes make the man. Naked people have little or no influence on
 -- Mark Twain 

http://www.donarmstrong.com              http://rzlab.ucr.edu

Reply to: