Your message dated Sat, 15 Sep 2012 19:22:19 +0100 with message-id <1347733339.28617.78.camel@jacala.jungle.funky-badger.org> and subject line Re: Bug#687782: unblock: nullmailer/1:1.11-2 has caused the Debian Bug report #687782, regarding unblock: nullmailer/1:1.11-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 687782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687782 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: nullmailer/1:1.11-2
- From: Nick Leverton <nick@leverton.org>
- Date: Sat, 15 Sep 2012 19:09:41 +0100
- Message-id: <[🔎] 20120915180940.GA22230@leverton.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please would you unblock package nullmailer. This fixes a security issue raised in bug #684619 whereby email auth credentials for the remote host used by the daemon component were stored in a world-readable file. I have attached the debdiff. There is also some discussion on the fix in #684679. I decided not to make the change any more complex as new installers will now be adequately protected anyway, and old installations (most of which won't be using auth as it is a relatively new feature) will not be changed to the surprise of sysadmins. unblock nullmailer/1:1.11-2 Thanks Nick Levertondiff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog 2012-06-16 16:36:28.000000000 +0100 +++ nullmailer-1.11/debian/changelog 2012-08-21 09:01:40.000000000 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) + + -- Nick Leverton <nick@leverton.org> Tue, 21 Aug 2012 09:01:38 +0100 + nullmailer (1:1.11-1) unstable; urgency=low * New upstream release diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.000000000 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-21 09:07:21.000000000 +0100 @@ -24,6 +24,15 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + if [ ! -e /etc/nullmailer/remotes ] + then + M=$( umask ) + umask 077 + > /etc/nullmailer/remotes + chown mail:mail /etc/nullmailer/remotes + umask $M + fi echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \
--- End Message ---
--- Begin Message ---
- To: Nick Leverton <nick@leverton.org>, 687782-done@bugs.debian.org
- Subject: Re: Bug#687782: unblock: nullmailer/1:1.11-2
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 15 Sep 2012 19:22:19 +0100
- Message-id: <1347733339.28617.78.camel@jacala.jungle.funky-badger.org>
- In-reply-to: <[🔎] 20120915180940.GA22230@leverton.org>
- References: <[🔎] 20120915180940.GA22230@leverton.org>
On Sat, 2012-09-15 at 19:09 +0100, Nick Leverton wrote: > Please would you unblock package nullmailer. > > This fixes a security issue raised in bug #684619 whereby email auth > credentials for the remote host used by the daemon component were stored > in a world-readable file. Already unblocked earlier when I saw the bug closure mail; thanks. Regards, Adam
--- End Message ---