Your message dated Sat, 1 Jul 2006 11:37:23 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#362627: fixed in freepops 0.0.98-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: freepops
Version: 0.0.98-2
Severity: grave
Tags: security
Justification: user security hole
Hi, I have been using freepops for a while for accessing some of my
accounts and I just discovered that the hotmail plugin seems to have a
*very* nasty side-effect: it creates a world-readable file named
log_raw.txt right under the root directory and it contains sensitive
information (the whole transaction/contents of the emails):
Here is an excerpt from such file that does *not* contain sensitive
information:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Fri Apr 14 09:02:50 2006 : Session removed (STAT Failure) - Account: [EMAIL
PROTECTED]
Fri Apr 14 09:05:32 2006 : Entering login
Fri Apr 14 09:05:43 2006 : Successful login
Fri Apr 14 11:14:41 2006 : Entering login
Fri Apr 14 11:14:52 2006 : Successful login
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Given the problem of such a breach, I'd think that the current
recommendation would be to disable the module. Other modules may be
affected by the same problem (I don't know, as I don't use many of
them).
Please, let me know if more information is needed.
Thanks, Rogério Brito.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (900, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16.5-1
Locale: LANG=C, LC_CTYPE=pt_BR (charmap=ISO-8859-1)
Versions of packages freepops depends on:
ii debconf [debconf-2.0] 1.4.72 Debian configuration management sy
ii libc6 2.3.6-3 GNU C Library: Shared libraries an
ii libcurl3-gnutls 7.15.3-1 Multi-protocol file transfer libra
ii libexpat1 1.95.8-3 XML parsing C library - runtime li
ii libgcrypt11 1.2.2-1 LGPL Crypto library - runtime libr
ii lsb-base 3.0-16 Linux Standard Base 3.0 init scrip
freepops recommends no packages.
-- debconf information:
* freepops/jail: false
* freepops/init: true
--
Rogério Brito : [EMAIL PROTECTED] : http://www.ime.usp.br/~rbrito
Homepage of the algorithms package : http://algorithms.berlios.de
Homepage on freshmeat: http://freshmeat.net/projects/algorithms/
--- End Message ---
--- Begin Message ---
Version: 0.0.99-1
On Sun, Apr 30, 2006 at 06:47:23AM -0700, Enrico Tassi wrote:
> We believe that the bug you reported is fixed in the latest version of
> freepops, which is due to be installed in the Debian FTP archive:
You don't seem to have included the changelog snippet for 0.0.98-3 in
0.0.99-1, so the BTS thinks you branched and that the bug is still present in
that version (see http://bugs.sesse.net/test-graphical.pl?pkg=freepops). I'm
marking this bug as closed in the right version (I've checked that the change
is indeed there), to unconfuse the BTS. For the reference, the changelog
snippet:
> freepops (0.0.98-3) unstable; urgency=low
> .
> * ENABLE_LOGRAW set to false. It is a debugging option left active by
> mistake. (Closes: #362627)
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
