Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

GLSA: vpopmail (200310-01)

From: John Mylchreest <johnm () gentoo org>
Date: Thu, 02 Oct 2003 20:10:11 +0100
GENTOO LINUX SECURITY ANNOUNCEMENT
---------------------------------------------------------------------
          PACKAGE : vpopmail
          SUMMARY : Insecure file permissions.
             DATE : 2003-10-02 18:28 UTC
          EXPLOIT : local
VERSIONS AFFECTED : <=5.2.1-r5
    FIXED VERSION : 5.2.1-r6
     GENTOO BUG # : 23502
              CVE : none known at present time
---------------------------------------------------------------------

DESCRIPTION:
The file /etc/vpopmail.conf which is distributed by versions of
vpopmail less than 5.2.1-r6 has insecure permissions when merged
with USE="mysql" causing it to be world readable.

This means that any local user is able to view the contents of this
file. The file contains unencrypted password information used to
access the MySQL database server to modify the vpopmail table 
information.

SOLUTION:
chmod 640 /etc/vpopmail.conf

emerge sync
emerge -u vpopmail -pv
emerge -u vpopmail
emerge clean

-- 

John Mylchreest.

Gentoo Linux:    http://www.gentoo.org
Public Key:      gpg --recv-keys 0xEAB9E721
                 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEAB9E721

Key fingerprint: 0670 E5E4 F461 806B 860A  2245 A40E 72EB EAB9 E721

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: