Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please would you unblock package nullmailer.
This fixes a security issue raised in bug #684619 whereby email auth
credentials for the remote host used by the daemon component were stored
in a world-readable file.
I have attached the debdiff.
There is also some discussion on the fix in #684679. I decided not to
make the change any more complex as new installers will now be adequately
protected anyway, and old installations (most of which won't be using
auth as it is a relatively new feature) will not be changed to the
surprise of sysadmins.
unblock nullmailer/1:1.11-2
Thanks
Nick Leverton
diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog
--- nullmailer-1.11/debian/changelog 2012-06-16 16:36:28.000000000 +0100
+++ nullmailer-1.11/debian/changelog 2012-08-21 09:01:40.000000000 +0100
@@ -1,3 +1,9 @@
+nullmailer (1:1.11-2) unstable; urgency=low
+
+ * Make 'remotes' not world-readable (Closes: #684619)
+
+ -- Nick Leverton <n...@leverton.org> Tue, 21 Aug 2012 09:01:38 +0100
+
nullmailer (1:1.11-1) unstable; urgency=low
* New upstream release
diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst
--- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.000000000 +0100
+++ nullmailer-1.11/debian/postinst 2012-08-21 09:07:21.000000000 +0100
@@ -24,6 +24,15 @@
fi
db_get nullmailer/relayhost
+ # securely create nullmailer/remotes with mode 0600
+ if [ ! -e /etc/nullmailer/remotes ]
+ then
+ M=$( umask )
+ umask 077
+ > /etc/nullmailer/remotes
+ chown mail:mail /etc/nullmailer/remotes
+ umask $M
+ fi
echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \
-e 's/[[:space:]]*:[[:space:]]*/\n/g' \
-e ':b s/(\[[^]=]*)=/\1:/; tb' \
