Your message dated Sat, 03 Sep 2016 18:17:11 +0000 with message-id <e1bgfv9-0003kj...@franck.debian.org> and subject line Bug#831813: fixed in nullmailer 1:1.13-1+deb8u1 has caused the Debian Bug report #831813, regarding nullmailer leaks sensitive data through debconf to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 831813: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831813 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: nullmailer Version: 1:1.13-1 Severity: grave The nullmailer package keeps sensitive information like users and passwords to the mail accounts on the remote SMTP servers in the '/etc/nullmailer/remotes' file, which is secured by 600 permissions and owned by mail:mail. However, after running command: dpkg-reconfigure -f noninteractive nullmailer contents of this file are stored in the debconf database as cleartext in the 'nullmailer/relayhost' database key and can be read by any user using the command: debconf-get-selections | grep nullmailer The 'dpkg-reconfigure' command cannot be executed directly by unprivileged users. However, the debconf database reads the contents of the '/etc/nullmailer/remotes' file and includes its contents in the database on package installation. This behaviour occurs again on package reinstallation - the debconf database is automatically updated with the contents of the '/etc/nullmailer/remotes' file. Therefore the sensitive information might show up in the 'debconf-get-selections' output after an automatic package upgrade or package reinstallation. Regards, Maciej
pgpJKjlCZvMgN.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: nullmailer Source-Version: 1:1.13-1+deb8u1 We believe that the bug you reported is fixed in the latest version of nullmailer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 831...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hofstaedtler <z...@debian.org> (supplier of updated nullmailer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 06 Aug 2016 17:36:35 +0000 Source: nullmailer Binary: nullmailer Architecture: source Version: 1:1.13-1+deb8u1 Distribution: jessie Urgency: medium Maintainer: Nick Leverton <n...@leverton.org> Changed-By: Christian Hofstaedtler <z...@debian.org> Description: nullmailer - simple relay-only mail transport agent Closes: 831813 Changes: nullmailer (1:1.13-1+deb8u1) jessie; urgency=medium . * Non-maintainer upload. * Do not keep relayhost data in debconf database longer than strictly needed. (Closes: #831813) Backport of 1:1.13-1.2 from unstable. Checksums-Sha1: 57fdbd9bcebace7fc996a3b708e3fa1aa961b9d5 1818 nullmailer_1.13-1+deb8u1.dsc 39e235edf71d9b5d08967c76dc884d8b04979e2a 30280 nullmailer_1.13-1+deb8u1.debian.tar.xz Checksums-Sha256: 74bd217d6c9692234637994b9962a7a53ed10497edb89059ac47e8b9dd6db535 1818 nullmailer_1.13-1+deb8u1.dsc 4d66a9d5165fee044efe8dccb11851cb545d5ddfe98a579196845d61e9a7f6d4 30280 nullmailer_1.13-1+deb8u1.debian.tar.xz Files: 8e70dfea43d021a277cd6813f9a38045 1818 mail extra nullmailer_1.13-1+deb8u1.dsc 8ef8d48fc4dd60376e2eb76732a8353b 30280 mail extra nullmailer_1.13-1+deb8u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQItBAEBCAAXBQJXyDKGEBx6ZWhhQGRlYmlhbi5vcmcACgkQXBPW25MFLgN8rw// VcIMCnmFEhcclqfvBN9LDWywCYKrjCzXIDA58d0GAv7pPE5dPXQshzRMUVBKHOZ/ 17ERND4glZM4JJ+NO3ZOK04m+73LTp+yKPHZsOmNbPM/z9CTwZeHd4/ejd0HArp6 6ysfQKCvy8r64FwFLt/Jhm/HcXI+EDYnJl9J9E6QlOXprw7xfjCBcmrU1+c4+fDy hhe7zYlnywN7MZmQ8yjYVFwW9DJo8p86mLoZznPRokbCSqzDE7RTvKU9AfV9avK2 QdOA4SLG8wOe/Tztdr0b1sQCL/BnxDl07KyYI6IKr2kIlWVUXxcGOaGeX9lA70a9 8A7HlHKMfoGt8dn7bFom347CgYUqgyDZ/Q8LcP6tLavMb7mgRGNC5nkqhD+Q/Fry 1P/vGqWFn9fR6i0+gHwUrI87cIu0c18wVTSG4bQDjqRA0eva6GKL01IP+Cn9ykS9 0KjkMEGqfvg0420OeUGNBJtzOLpvX1HSz9gCmz48ZjLvP4oUyc92sADNWmo2WuAK wJjmvL9o39fEV/R8/Lr77ITT7wEmaxJo1JslOQiyTEVS2Ion26gHIv5i2zir2lOO 39YX6yrm5cd84L5w0y3AsQMMzKYWqpSuoY8TCbrVgQ0OwFenh/b3k5wFjUBSSwiE cyWkmQlggY9DbET3JIaHWBeH1MHmwGP8Y/1FssY4Dx8= =GzEL -----END PGP SIGNATURE-----
--- End Message ---
