Hi Duncan On Sat, Dec 17, 2011 at 08:12:10PM -0800, Duncan Smith wrote: > Package: esmtp > Version: 1.2-4squeeze1 > Severity: normal > Tags: patch > > > The package as shipped ensures that the configuration file is not a > symbolic link. This is most likely unnecessary, as I don't believe > there is any security risk in reading from a symlink. > > Changing 'lstat' to 'stat' on line 170 of parser.y fixes this. I've > attached a patch. > > I keep my configuration files in a version-controlled directory, > ~/etc, and symlink them into ~/. esmtp is the only package I use that > complains about this arrangement. > > (This is the first bug I've reported to Debian. Please let me know if > I've messed up somehow.)
Congratulation for your first report :) I'm not ignoring you request, but need to find time to check if it is realy safe to allow symlinks for the configuration file. Thanks for using esmtp! Regards, Salvatore p.s.: I have merged the two created reports.
signature.asc
Description: Digital signature
