Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+T2pCGDU-OJ8t_aO-YCb9UVfXyvKn3Ahnf8D0m=pw-jL-StyA@mail.gmail.com>
Date: Fri, 9 Aug 2013 13:42:16 -0500
From: William Pitcock <nenolod@...eferenced.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE request: nullmailer world readable /etc/nullmailer/remotes

Hello,

/etc/nullmailer/remotes may contain SMTP authentication information as
arguments provided to the requested nullmailer sending module, e.g.:

smtp.gmail.com smtp --username=foo --password=bar --starttls --port=587

William

On Fri, Aug 9, 2013 at 12:16 PM, Christey, Steven M. <coley@...re.org> wrote:
> Agostino,
>
> Out of curiosity, what types of sensitive information are contained in this file that cause world-readable permissions to pose a vulnerability?
>
> - Steve
>
>
>>-----Original Message-----
>>From: Agostino Sarubbo [mailto:ago@...too.org]
>>Sent: Friday, August 09, 2013 1:15 PM
>>To: oss-security@...ts.openwall.com
>>Subject: [oss-security] CVE request: nullmailer world readable
>>/etc/nullmailer/remotes
>>
>>Hello,
>>
>>On Gentoo, the file /etc/nullmailer/remotes is installed with wrong
>>permissions:
>>
>>~ # ls -la /etc/nullmailer/remotes
>>-rw-r--r-- 1 root root 971 Aug  9 18:58 /etc/nullmailer/remotes
>>
>>Nullmailer-1.11-r2 contains the fix, all prior versions are affected.
>>
>>Please assign a CVE.
>>--
>>Agostino Sarubbo
>>Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.