| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1065121811.13859.10.camel@johnm.willow.local>
From: johnm at gentoo.org (John Mylchreest)
Subject: GLSA: vpopmail (200310-01)
GENTOO LINUX SECURITY ANNOUNCEMENT
---------------------------------------------------------------------
PACKAGE : vpopmail
SUMMARY : Insecure file permissions.
DATE : 2003-10-02 18:28 UTC
EXPLOIT : local
VERSIONS AFFECTED : <=5.2.1-r5
FIXED VERSION : 5.2.1-r6
GENTOO BUG # : 23502
CVE : none known at present time
---------------------------------------------------------------------
DESCRIPTION:
The file /etc/vpopmail.conf which is distributed by versions of
vpopmail less than 5.2.1-r6 has insecure permissions when merged
with USE="mysql" causing it to be world readable.
This means that any local user is able to view the contents of this
file. The file contains unencrypted password information used to
access the MySQL database server to modify the vpopmail table
information.
SOLUTION:
chmod 640 /etc/vpopmail.conf
emerge sync
emerge -u vpopmail -pv
emerge -u vpopmail
emerge clean
--
John Mylchreest.
Gentoo Linux: http://www.gentoo.org
Public Key: gpg --recv-keys 0xEAB9E721
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEAB9E721
Key fingerprint: 0670 E5E4 F461 806B 860A 2245 A40E 72EB EAB9 E721
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031002/577f441e/attachment.bin
Powered by blists - more mailing lists