Your message dated Sun, 13 Jan 2008 17:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#448519: fixed in dspam 3.6.8-5.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libdspam7-drv-mysql
Version: 3.6.8-5
Severity: grave
Tags: security
Justification: user security hole
The cron job in /etc/cron.daily/libdspam7-drv-mysql calls mysql like
this:
/usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS
This makes the database password of the dspam database user visible in
the command line, so users may see it using ps. A malicious local user
can use this to connect to the dspam databse and read all recent mail of
dspam users. This bug is easily fixed my using a config file or
environment variable to pass the password to mysql.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages libdspam7-drv-mysql depends on:
ii dbconfig-common 1.8.29+etch1 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libdspam7 3.6.8-5 DSPAM is a scalable and statistica
ii libldap2 2.1.30-13.3 OpenLDAP libraries
ii libmysqlclient15off 5.0.32-7etch1 mysql database client library
ii mysql-client-5.0 [mysq 5.0.32-7etch1 mysql database client binaries
ii ucf 2.0020 Update Configuration File: preserv
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages libdspam7-drv-mysql recommends:
ii mysql-server-5.0 [mysql-se 5.0.32-7etch1 mysql database server binaries
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: dspam
Source-Version: 3.6.8-5.1
We believe that the bug you reported is fixed in the latest version of
dspam, which is due to be installed in the Debian FTP archive:
dspam-doc_3.6.8-5.1_all.deb
to pool/main/d/dspam/dspam-doc_3.6.8-5.1_all.deb
dspam-webfrontend_3.6.8-5.1_all.deb
to pool/main/d/dspam/dspam-webfrontend_3.6.8-5.1_all.deb
dspam_3.6.8-5.1.diff.gz
to pool/main/d/dspam/dspam_3.6.8-5.1.diff.gz
dspam_3.6.8-5.1.dsc
to pool/main/d/dspam/dspam_3.6.8-5.1.dsc
dspam_3.6.8-5.1_i386.deb
to pool/main/d/dspam/dspam_3.6.8-5.1_i386.deb
libdspam7-dev_3.6.8-5.1_i386.deb
to pool/main/d/dspam/libdspam7-dev_3.6.8-5.1_i386.deb
libdspam7-drv-db4_3.6.8-5.1_i386.deb
to pool/main/d/dspam/libdspam7-drv-db4_3.6.8-5.1_i386.deb
libdspam7-drv-mysql_3.6.8-5.1_i386.deb
to pool/main/d/dspam/libdspam7-drv-mysql_3.6.8-5.1_i386.deb
libdspam7-drv-pgsql_3.6.8-5.1_i386.deb
to pool/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5.1_i386.deb
libdspam7-drv-sqlite3_3.6.8-5.1_i386.deb
to pool/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5.1_i386.deb
libdspam7_3.6.8-5.1_i386.deb
to pool/main/d/dspam/libdspam7_3.6.8-5.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Friedli <[EMAIL PROTECTED]> (supplier of updated dspam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 13 Jan 2008 14:59:25 +0100
Source: dspam
Binary: libdspam7-dev libdspam7-drv-pgsql dspam libdspam7-drv-mysql
dspam-webfrontend dspam-doc libdspam7-drv-db4 libdspam7 libdspam7-drv-sqlite3
Architecture: source i386 all
Version: 3.6.8-5.1
Distribution: unstable
Urgency: high
Maintainer: Debian DSPAM Maintainers <[EMAIL PROTECTED]>
Changed-By: Adrian Friedli <[EMAIL PROTECTED]>
Description:
dspam - is a scalable, fast and statistical anti-spam filter
dspam-doc - Documentation for dspam
dspam-webfrontend - DSPAM is a scalable and statistical anti-spam filter
libdspam7 - DSPAM is a scalable and statistical anti-spam filter
libdspam7-dev - DSPAM is a scalable and statistical anti-spam filter
libdspam7-drv-db4 - DSPAM is a scalable and statistical anti-spam filter
libdspam7-drv-mysql - DSPAM is a scalable and statistical anti-spam filter
libdspam7-drv-pgsql - DSPAM is a scalable and statistical anti-spam filter
libdspam7-drv-sqlite3 - DSPAM is a scalable and statistical anti-spam filter
Closes: 448519
Changes:
dspam (3.6.8-5.1) unstable; urgency=high
.
* Non-maintainer upload.
* Giving the password in libdspam7-drv-mysql cronjob in a file instead of
the command line. CVE-2007-6418[0] (Closes: #448519)
Files:
8246293f4d13a40a7ad0186f1f653e80 1127 mail optional dspam_3.6.8-5.1.dsc
c39d122f28e17b8198ea86f2c23df593 54695 mail optional dspam_3.6.8-5.1.diff.gz
12f23fcc3939199503ca1739bf3bc9c1 317708 mail optional dspam_3.6.8-5.1_i386.deb
ecb9159afddfaf9a3fce06b8e2a4494a 109204 libs optional
libdspam7_3.6.8-5.1_i386.deb
b7067dd0cfbb22953eb6d1d259a79152 123080 mail optional
libdspam7-dev_3.6.8-5.1_i386.deb
b7fa735d51a861143a1df8b82fb48a8c 103798 mail optional
libdspam7-drv-pgsql_3.6.8-5.1_i386.deb
35aa7a10b97997f7aa417f668d3855e0 96912 mail optional
libdspam7-drv-mysql_3.6.8-5.1_i386.deb
0834619c691bd4cea72f3bd4268d7cda 71234 mail optional
libdspam7-drv-db4_3.6.8-5.1_i386.deb
9c1c35d6fb4e26e8a6c607bd3eb5e7d9 84914 mail optional
libdspam7-drv-sqlite3_3.6.8-5.1_i386.deb
97498de9bacde92196cc4e95a6cef7b7 110054 mail optional
dspam-webfrontend_3.6.8-5.1_all.deb
6753561eeac3105e216780e86b23cb22 94612 doc optional dspam-doc_3.6.8-5.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHikr4+C5cwEsrK54RAphHAKC4kaPTw1YXuFTZi0wlHlzuok9/kQCfSlYI
9jlfgRFfC+zQWKsl7lf1E78=
=CbJw
-----END PGP SIGNATURE-----
--- End Message ---
