oss-sec mailing list archives
Re: CVE request: nullmailer world readable /etc/nullmailer/remotes
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Aug 2013 13:39:06 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/09/2013 12:42 PM, William Pitcock wrote:
Hello, /etc/nullmailer/remotes may contain SMTP authentication information as arguments provided to the requested nullmailer sending module, e.g.: smtp.gmail.com smtp --username=foo --password=bar --starttls --port=587 William
Please use CVE-2013-4223 for this issue.
On Fri, Aug 9, 2013 at 12:16 PM, Christey, Steven M. <coley () mitre org> wrote:Agostino, Out of curiosity, what types of sensitive information are contained in this file that cause world-readable permissions to pose a vulnerability? - Steve-----Original Message----- From: Agostino Sarubbo [mailto:ago () gentoo org] Sent: Friday, August 09, 2013 1:15 PM To: oss-security () lists openwall com Subject: [oss-security] CVE request: nullmailer world readable /etc/nullmailer/remotes Hello, On Gentoo, the file /etc/nullmailer/remotes is installed with wrong permissions: ~ # ls -la /etc/nullmailer/remotes -rw-r--r-- 1 root root 971 Aug 9 18:58 /etc/nullmailer/remotes Nullmailer-1.11-r2 contains the fix, all prior versions are affected. Please assign a CVE. -- Agostino Sarubbo Gentoo Linux Developer
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSBUVaAAoJEBYNRVNeJnmTnwEP/A5+fNAe5nZqLFSlGcmWHB0Q u2ia91QQn0F7wh7+ibriXHCeCXWV6G+JyAlJuZzitFaq4e6nCevoZYmTpvlE8cmc qL5LigFUf16el8+t1r7YRZByed8yrO+HKMMOtIUpB4GwFcaK8EMzUeOMXMqyCtRI FThjMI7jeRwUmNDLLow+omKjVlK4+DhYQu/B3GJBWxhAXPfy2fx24jm4pbs2yESj BvlElev2mYD9AFTbNsz4E8zv1wngsTPi7ymAwzlfHniMqNlKjKzxr736xIeDk435 Tm9k8OjHb+exbInK+vrSfedAi2BwSHU+wQH6j2fAPP26PQpXqO8eST0JIxf7lnvX UnWbNAEK5kvo9/SgAEzCI95LXSxScojph6RkbSSc5s0jJHECoXA0YeZE/jUHIiju Ko4eaC3Wt2nDrWd8cjV7eMuR6RQ11LM0yIHI7M/5PN3vxnsSNwR1AhLbLlV25beF 8qA1Edhkxvg7u5JvuxGhUVonq7cZ0SCxX1F6jd5sOEnZ3UoPP7UCT2L+I7U/6nQg Lhl4TogFPGMr1PGwU/MG7Cj5t6SKqB2yPe5YiZwv7bYdtziGrRhe100qYmQxNAut 2cSqvoxFQ5lVqExv/OKfbYNQ1CQcVqqXFJMz87zD3pPgHk+rLr3Q0hKL8a+q9GzY 6mHNVpTzLMvLUM75SH8L =A9Lm -----END PGP SIGNATURE-----
Current thread:
- CVE request: nullmailer world readable /etc/nullmailer/remotes Agostino Sarubbo (Aug 09)
- RE: CVE request: nullmailer world readable /etc/nullmailer/remotes Christey, Steven M. (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes William Pitcock (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes Kurt Seifried (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes William Pitcock (Aug 09)
- Re: CVE request: nullmailer world readable /etc/nullmailer/remotes Evan Teitelman (Aug 09)
- RE: CVE request: nullmailer world readable /etc/nullmailer/remotes Christey, Steven M. (Aug 09)