Your message dated Mon, 07 Nov 2005 14:32:27 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#332841: fixed in masqmail 0.2.21-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Oct 2005 22:12:04 +0000
>From [EMAIL PROTECTED] Sat Oct 08 15:12:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail-relay-2.tiscali.it [213.205.33.42]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EOMvE-00060x-00; Sat, 08 Oct 2005 15:12:04 -0700
Received: from npp (84.222.75.173) by mail-relay-2.tiscali.it (7.2.063)
id 431C64B40031D9EF for [EMAIL PROTECTED]; Sun, 9 Oct 2005 00:11:33
+0200
Received: from oopla by npp with local (masqmail 0.2.11) id
1EOMug-0ds-00; Sun, 09 Oct 2005 00:11:30 +0200
From: Paolo <[EMAIL PROTECTED]>
Subject: masqmail: insecure temp file
To: [EMAIL PROTECTED]
X-Mailer: bug 3.3.10.1
Date: Sun, 09 Oct 2005 00:11:30 +0200
Message-ID: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: masqmail
Version: 0.2.20-1sarge1
Severity: critical
hi,
seems to me that the default config of online_file is pretty insecure:
/tmp/connect_route
given the way it's created by the ip-up script:
[ ROUTEFILE=/tmp/connect_route ]
...
if [ -n "$SCHEME" ] ; then
echo -n "$SCHEME" > "$ROUTEFILE"
chmod 0644 "$ROUTEFILE"
fi
...
I think adding
rm -f "$ROUTEFILE"
before 'echo ...' would be enough.
-- paolo
-- System Information
Debian Release: 3.0
Kernel Version: Linux npp 2.4.26-ss-fb-lm287 #1 Fri Jul 16 21:26:09 CEST 2004
i686 unknown
---------------------------------------
Received: (at 332841-close) by bugs.debian.org; 7 Nov 2005 22:36:48 +0000
>From [EMAIL PROTECTED] Mon Nov 07 14:36:48 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EZFXP-0005ly-00; Mon, 07 Nov 2005 14:32:27 -0800
From: Oliver Kurth <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#332841: fixed in masqmail 0.2.21-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 07 Nov 2005 14:32:27 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 5
Source: masqmail
Source-Version: 0.2.21-1
We believe that the bug you reported is fixed in the latest version of
masqmail, which is due to be installed in the Debian FTP archive:
masqmail_0.2.21-1.diff.gz
to pool/main/m/masqmail/masqmail_0.2.21-1.diff.gz
masqmail_0.2.21-1.dsc
to pool/main/m/masqmail/masqmail_0.2.21-1.dsc
masqmail_0.2.21-1_i386.deb
to pool/main/m/masqmail/masqmail_0.2.21-1_i386.deb
masqmail_0.2.21.orig.tar.gz
to pool/main/m/masqmail/masqmail_0.2.21.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Oliver Kurth <[EMAIL PROTECTED]> (supplier of updated masqmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 07 Nov 2005 14:09:21 -0800
Source: masqmail
Binary: masqmail
Architecture: source i386
Version: 0.2.21-1
Distribution: unstable
Urgency: low
Maintainer: Oliver Kurth <[EMAIL PROTECTED]>
Changed-By: Oliver Kurth <[EMAIL PROTECTED]>
Description:
masqmail - A mailer for hosts without permanent internet connection
Closes: 224273 329307 332023 332841 332960 337921
Changes:
masqmail (0.2.21-1) unstable; urgency=low
.
* security fixes (closes: #329307)
- do not use shell when executing sub programs
- do not accept backtick in email adresses
- write log files as 'mail' user
* changed default online status file to /var/run/masqmail/masqmail-route
(closes: #332841)
* depend on debconf | debconf-2.0 (closes: #332023)
* add debug.log to logrotate script (closes: #332960)
* fix typo in templates ('failure') (closes: #224273)
* use glib2 instead of old glib1.2 (closes: #337921)
* use /var/run/masqmail for pid files
Files:
8f4b8d5385a3bdebff6ba0d58b00b73e 608 mail extra masqmail_0.2.21-1.dsc
7e989a8b0562054aea22c654507f2cb5 269192 mail extra masqmail_0.2.21.orig.tar.gz
9fa228777ca065bc8587d951305f39a8 355 mail extra masqmail_0.2.21-1.diff.gz
89f92b3a4475bf2734bb4cad85d88ac6 124216 mail extra masqmail_0.2.21-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDb9KBUmVSJkUeqxsRAoVLAKDWmMxPidO1y5ayr+FoONdKyRnIOwCfQrq5
5z16VN7uB73dpkgMAuH9GrI=
=oPoW
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
