Your message dated Fri, 05 Aug 2016 22:37:29 +0000 with message-id <e1bvnk9-0001jg...@franck.debian.org> and subject line Bug#831813: fixed in nullmailer 1:1.13-1.2 has caused the Debian Bug report #831813, regarding nullmailer leaks sensitive data through debconf to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 831813: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831813 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: nullmailer Version: 1:1.13-1 Severity: grave The nullmailer package keeps sensitive information like users and passwords to the mail accounts on the remote SMTP servers in the '/etc/nullmailer/remotes' file, which is secured by 600 permissions and owned by mail:mail. However, after running command: dpkg-reconfigure -f noninteractive nullmailer contents of this file are stored in the debconf database as cleartext in the 'nullmailer/relayhost' database key and can be read by any user using the command: debconf-get-selections | grep nullmailer The 'dpkg-reconfigure' command cannot be executed directly by unprivileged users. However, the debconf database reads the contents of the '/etc/nullmailer/remotes' file and includes its contents in the database on package installation. This behaviour occurs again on package reinstallation - the debconf database is automatically updated with the contents of the '/etc/nullmailer/remotes' file. Therefore the sensitive information might show up in the 'debconf-get-selections' output after an automatic package upgrade or package reinstallation. Regards, Maciej
pgp53hDPWd09g.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: nullmailer Source-Version: 1:1.13-1.2 We believe that the bug you reported is fixed in the latest version of nullmailer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 831...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hofstaedtler <z...@debian.org> (supplier of updated nullmailer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 31 Jul 2016 20:57:13 +0000 Source: nullmailer Binary: nullmailer Architecture: source Version: 1:1.13-1.2 Distribution: unstable Urgency: medium Maintainer: Nick Leverton <n...@leverton.org> Changed-By: Christian Hofstaedtler <z...@debian.org> Description: nullmailer - simple relay-only mail transport agent Closes: 831813 Changes: nullmailer (1:1.13-1.2) unstable; urgency=medium . * Non-maintainer upload. * Do not keep relayhost data in debconf database longer than strictly needed. (Closes: #831813) Checksums-Sha1: 1ec52cc832332074394e1b6fb5d73a966571166a 1804 nullmailer_1.13-1.2.dsc 4a777ec343bb0745361ab9a527c111c22c8075bd 30760 nullmailer_1.13-1.2.debian.tar.xz Checksums-Sha256: 7b3d9732f4f930242686059e97236c42cf2703332313241168cb6f80859df189 1804 nullmailer_1.13-1.2.dsc 48c15f5df55069a12a5318eab3a8ca7d50d34ca6769c153f436e359f9f16a1a1 30760 nullmailer_1.13-1.2.debian.tar.xz Files: 07ffbbe682603e0098dfdc94ed94439d 1804 mail extra nullmailer_1.13-1.2.dsc 57ba3876663778c19a4b572e31be64c9 30760 mail extra nullmailer_1.13-1.2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXnmhPAAoJEFwT1tuTBS4DbKUQAKZVDXbSWeIvE90oqvYm2rHx LzWMXVet2D0pIraSJ8lvnDLcwYjStzbngMVEIwsqCTeQ8uxe0CWSZ/bHmhGFFAf0 Yo77OLlPbeb6WWSvN6ak3EU4YzMQgtwWKL8phgJVvSe/2cQVxh1//t1gd0vijGy/ Q20xXFjXEb1uu7wJx23W7olNjWqqzhCkCOsQ6MfT2l68DED/wcSTvX+JWxti6761 hAZRI78AnkN68AuJhQTwXKFAmJ3B/a5CWzXa7b17wjysj9iVw5XmH++CppRnknyk 1XUKBqjNU37XUEwJYgSNesXvBXtLF6Uan59IN/bg+RY7GtmI3t16N/8oixHFBlNn kJZjGAErzyFwwZH37LdzW4cQ0I02NtwNQiToh3JD0PCr1wCx5uC/N3gtWDIpM4QV BxmTRAUl36sVQfPoglGxGh6oRZalZUrkfeiOnbLNK6cKVUh66Y1aHeHGT62kYu05 MGF6F7/ksx4DSc7a+BE14RtsCYBD8DJJbQUNjUXGsyLg4Kl+lNhAbhEbzKCevOq3 D9mu3yT5VyYstetou63Q7yChxynZlhtW2ZymRG9PW98jwF3Z2oI4mGB2oDQUccpB 79JN3Lu5QPQCRrtuanbVjSBcpvRidp+ZpDgM4J6k04/e7fiTbY6QVIRiKnRWaLSV /FHJtqQu2wOWDYtmBRL4 =+I+Z -----END PGP SIGNATURE-----
--- End Message ---
