oss-sec mailing list archives
Re: CVE request: nullmailer world readable /etc/nullmailer/remotes
From: William Pitcock <nenolod () dereferenced org>
Date: Fri, 9 Aug 2013 13:42:16 -0500
Hello, /etc/nullmailer/remotes may contain SMTP authentication information as arguments provided to the requested nullmailer sending module, e.g.: smtp.gmail.com smtp --username=foo --password=bar --starttls --port=587 William On Fri, Aug 9, 2013 at 12:16 PM, Christey, Steven M. <coley () mitre org> wrote:
Agostino, Out of curiosity, what types of sensitive information are contained in this file that cause world-readable permissions to pose a vulnerability? - Steve-----Original Message----- From: Agostino Sarubbo [mailto:ago () gentoo org] Sent: Friday, August 09, 2013 1:15 PM To: oss-security () lists openwall com Subject: [oss-security] CVE request: nullmailer world readable /etc/nullmailer/remotes Hello, On Gentoo, the file /etc/nullmailer/remotes is installed with wrong permissions: ~ # ls -la /etc/nullmailer/remotes -rw-r--r-- 1 root root 971 Aug 9 18:58 /etc/nullmailer/remotes Nullmailer-1.11-r2 contains the fix, all prior versions are affected. Please assign a CVE. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- CVE request: nullmailer world readable /etc/nullmailer/remotes Agostino Sarubbo (Aug 09)
- RE: CVE request: nullmailer world readable /etc/nullmailer/remotes Christey, Steven M. (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes William Pitcock (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes Kurt Seifried (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes William Pitcock (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes Evan Teitelman (Aug 09)
- RE: CVE request: nullmailer world readable /etc/nullmailer/remotes Christey, Steven M. (Aug 09)