Package: mldonkey-server Version: 2.5.28-2 Severity: grave Tags: security Justification: user security hole
Sylvain, thank you for your work to package mldonkey-server. downloads.ini is created with permissions for the group users to write the file and thus change the admin password, this should not be the case. Furthermore, the file is world-readable which IMHO should not be allowed either. Best Rolf -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i586) Kernel: Linux 2.4.26.041120 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mldonkey-server depends on: ii adduser 3.63 Add and remove users and groups ii debconf [debconf-2.0] 1.4.30.11 Debian configuration management sy ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap ii ucf 1.14 Update Configuration File: preserv ii zlib1g 1:1.2.2-3 compression library - runtime -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
