Your message dated Tue, 15 Jul 2008 23:03:46 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#481347: fixed in sendmail 8.14.3-5
has caused the Debian Bug report #481347,
regarding logcheck: Logcheck leaves world-readable dead.letter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
481347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481347
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: logcheck
Version: 1.2.54
Severity: grave
Tags: security
Justification: user security hole
Logcheck can leave a world readable dead.letter that contains parsed
logs.
Steps to reproduce:
* Create a lot of logs that will not be filtered by logcheck. (very
easy). 10MBytes should be enough. You have an hour to do so.
* When logcheck runs it will produce a file of size X MBytes to be
mailed to root
* Most MTAs have a limit for the maximum message size. If it is exceeded
and you're using sendmail, the mail will be saved in a file named dead.letter
* For logcheck this is placed in: /var/lib/logcheck/dead.letter
* Go read this file and get some logs that you should not see
Example file:
-rw-r--r-- 1 logcheck logcheck 17001006 2008-05-15 15:02
/var/lib/logcheck/dead.letter
Proposed solution:
Change permissions of /var/lib/logcheck dir to 770
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages logcheck depends on:
ii adduser 3.102 Add and remove users and groups
ii cron 3.0pl1-100 management of regular background p
ii debconf 1.5.11etch1 Debian configuration management sy
ii grep 2.5.1.ds2-6 GNU grep, egrep and fgrep
ii lockfile-progs 0.1.10 Programs for locking and unlocking
ii logtail 1.2.54 Print log file lines that have not
ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent
ii sendmail-bin [ma 8.13.8-3 powerful, efficient, and scalable
ii sysklogd [system 1.4.1-18 System Logging Daemon
Versions of packages logcheck recommends:
ii logcheck-database 1.2.54 database of system log rules for t
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: sendmail
Source-Version: 8.14.3-5
We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive:
libmilter-dev_8.14.3-5_amd64.deb
to pool/main/s/sendmail/libmilter-dev_8.14.3-5_amd64.deb
libmilter1.0.1-dbg_8.14.3-5_amd64.deb
to pool/main/s/sendmail/libmilter1.0.1-dbg_8.14.3-5_amd64.deb
libmilter1.0.1_8.14.3-5_amd64.deb
to pool/main/s/sendmail/libmilter1.0.1_8.14.3-5_amd64.deb
rmail_8.14.3-5_amd64.deb
to pool/main/s/sendmail/rmail_8.14.3-5_amd64.deb
sendmail-base_8.14.3-5_all.deb
to pool/main/s/sendmail/sendmail-base_8.14.3-5_all.deb
sendmail-bin_8.14.3-5_amd64.deb
to pool/main/s/sendmail/sendmail-bin_8.14.3-5_amd64.deb
sendmail-cf_8.14.3-5_all.deb
to pool/main/s/sendmail/sendmail-cf_8.14.3-5_all.deb
sendmail-doc_8.14.3-5_all.deb
to pool/main/s/sendmail/sendmail-doc_8.14.3-5_all.deb
sendmail_8.14.3-5.diff.gz
to pool/main/s/sendmail/sendmail_8.14.3-5.diff.gz
sendmail_8.14.3-5.dsc
to pool/main/s/sendmail/sendmail_8.14.3-5.dsc
sendmail_8.14.3-5_all.deb
to pool/main/s/sendmail/sendmail_8.14.3-5_all.deb
sensible-mda_8.14.3-5_amd64.deb
to pool/main/s/sendmail/sensible-mda_8.14.3-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Richard A Nelson (Rick) <[EMAIL PROTECTED]> (supplier of updated sendmail
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.8
Date: Tue, 15 Jul 2008 22:25:00 -0000
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg
libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all amd64
Version: 8.14.3-5
Distribution: unstable
Urgency: high
Maintainer: Richard A Nelson (Rick) <[EMAIL PROTECTED]>
Changed-By: Richard A Nelson (Rick) <[EMAIL PROTECTED]>
Description:
libmilter-dev - Sendmail Mail Filter API (Milter)
libmilter1.0.1 - Sendmail Mail Filter API (Milter)
libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter)
rmail - MTA->UUCP remote mail handler
sendmail - powerful, efficient, and scalable Mail Transport Agent
sendmail-base - powerful, efficient, and scalable Mail Transport Agent
sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
sendmail-cf - powerful, efficient, and scalable Mail Transport Agent
sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
sensible-mda - Mail Delivery Agent wrapper
Closes: 481347 490776
Changes:
sendmail (8.14.3-5) unstable; urgency=high
.
* Sendmail uses the same filemode for pid/hoststat/dead.letter/etc
files :( To prevent world readable dead.letter files, we have to
restrict other data as well (like hoststat/mailq) Closes: #481347
.
* Remove confNO_RCPT_ACTION for better spam detection Closes: #490776
.
* Several changes thanks to Joe Maimon
+ Update sample access db to not block Connect:0, as it
has the unintended side effect of killing sendmail -bs -Am :(
+ add autoconf AC_PROG_MKDIR_P
+ rewrite SM_RESULTS_IFELSE autoconf macro with AC_RUN_IFELSE
why didn't I think of that, but still, it was an experience :)
.
* Improve the sendmail.conf comment, and parsing of timespecs
when creating crontabs (also randomize start times)
Thanks to Michael J. Micek
.
* Improve the sendmail.conf commentary for QUEUE_INTERVAL
to note how to create persistent queue-runners (p120m)
Thanks to Michael J. Micek
.
* Milter changes for increased performance
+ Enable poll (vs select)
+ Enable _FFR_WORKERS_POOL
.
* Init script touch-ups
+ Make init script depend on $syslog
+ Remove 0 and 6 from Default-Stop in init script
Checksums-Sha1:
e787a16d750049c5aa0a7c666b7690198beb3169 1574 sendmail_8.14.3-5.dsc
c1a1d4b0eb02b0d7c86e1411dc5737bac5f229da 364395 sendmail_8.14.3-5.diff.gz
fa4c66b759c7af9f1aabb556709ba4441a917ad7 835468 sendmail-doc_8.14.3-5_all.deb
f737d0a7e8784013d1597ac5383769c6fe76c700 206512 sendmail_8.14.3-5_all.deb
e6389b36385298060873c8a05f75526722d3e779 359204 sendmail-base_8.14.3-5_all.deb
367566895e5f2c9a22b3b1a544afcae1b41a3a6f 295154 sendmail-cf_8.14.3-5_all.deb
209e4d38fb73055a1585ed001aa62a23ac1bdeca 976540 sendmail-bin_8.14.3-5_amd64.deb
8c238fe83ef5b1a0e85aa5b3884031114ceff588 246440 rmail_8.14.3-5_amd64.deb
3f795468f6923091a6e1839a420ceb7b715aadd2 214570 sensible-mda_8.14.3-5_amd64.deb
4dd15341cd47abd94a76005148945244039287b1 237418
libmilter1.0.1_8.14.3-5_amd64.deb
b3f7f42bc2b54542f94259387f45d8c52f2032e2 255616
libmilter1.0.1-dbg_8.14.3-5_amd64.deb
aab5a0397f885fb18638de521c3926574c4818dd 328582
libmilter-dev_8.14.3-5_amd64.deb
Checksums-Sha256:
512a090fc8b6d8de179e8d3c95a0badfcf3b554765f1002d1167f2fe7e5368b7 1574
sendmail_8.14.3-5.dsc
ffb28822f741f4a120e74328334768caf93fc8e95f82e3559f18d275c552a60c 364395
sendmail_8.14.3-5.diff.gz
85914c72cb783f0d4f81ca1b6e7716b53d7235cfff06207d924072fb19e190da 835468
sendmail-doc_8.14.3-5_all.deb
eedaf6f6f9a1aa9ad87d7fe1fc6dd590da07b7e4c4aef1936ee9c967d5b85bfb 206512
sendmail_8.14.3-5_all.deb
3ad39a6f5c2815ab68d090e3b4746c7df47d6d8bb91e3a3c68263669c41a776a 359204
sendmail-base_8.14.3-5_all.deb
b37ce4321f73b05554402ac82cb84de25dc4556242a3d7f778f0c30f95bc327a 295154
sendmail-cf_8.14.3-5_all.deb
b6e29078aee993890ebbaedcf70e7ad57c6a758017c3202f894c3526c2572024 976540
sendmail-bin_8.14.3-5_amd64.deb
6c3729e7f01fcecc20191ac9fc7759bbd622b3f5de314e3c279f3ad51e463df5 246440
rmail_8.14.3-5_amd64.deb
75b6a7854900e777a956fbb0a35264b5ff901551f33208fe03aae5f681403acf 214570
sensible-mda_8.14.3-5_amd64.deb
c9a92cbaef03db916215325fd66ef4f0b39f4db2e1b64af92fd03b29e92b4f8c 237418
libmilter1.0.1_8.14.3-5_amd64.deb
b0056fc78329890a47a8b6d44975d13f8828e2a1b1f0692b42ae4ed060a89b25 255616
libmilter1.0.1-dbg_8.14.3-5_amd64.deb
5547b74d9a9761844bd591c2780217d63811362b97bf76ce4b4d966507883064 328582
libmilter-dev_8.14.3-5_amd64.deb
Files:
b8ea9a73bb7f358d1c9e21fec9e4795e 1574 mail extra sendmail_8.14.3-5.dsc
8e4ecaaf4cea2500edefdb8dcbd2bf76 364395 mail extra sendmail_8.14.3-5.diff.gz
c74d5fdabd987df8748ec0dccc57e5b7 835468 doc extra sendmail-doc_8.14.3-5_all.deb
85fa69951b430c60ff9ce5455166d056 206512 mail extra sendmail_8.14.3-5_all.deb
754b8dbeefe24a7b501b8cfc9b03764e 359204 mail extra
sendmail-base_8.14.3-5_all.deb
c362f02eb39cd27b67b0773fa475056a 295154 mail extra sendmail-cf_8.14.3-5_all.deb
f648c52908f5a78a484832e939b082df 976540 mail extra
sendmail-bin_8.14.3-5_amd64.deb
5943efb296ec2c6d4bd545decb38c760 246440 mail extra rmail_8.14.3-5_amd64.deb
b38a1fe53e0268b7180027fa65dee5b4 214570 mail extra
sensible-mda_8.14.3-5_amd64.deb
8a45a6a55a5727a4936a3ba87e79102d 237418 libs extra
libmilter1.0.1_8.14.3-5_amd64.deb
ee515721bd7f56da915720e4b5a39fdb 255616 libs extra
libmilter1.0.1-dbg_8.14.3-5_amd64.deb
55e98cef0515ff7c5471fedaa9dfaa3b 328582 libdevel extra
libmilter-dev_8.14.3-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQCVAwUBSH0mK6VTksHk9ElFAQHihwP9HIt0NeD6sm1Ttx+MmdV/4sb5eQnKfwTY
5V5r22ZjczAA0Uk7Ma9280GkHTwiZt0GeldQY0BMTILeyR5LgHZuFTt1kpGruqPp
TqJ377ycWlryrYLin28/4p0o8EuAwE/pFWVFuj0Z//YQ8sr88/jFHM9rv/s9PpHW
e+rLAAvQlHI=
=dxe4
-----END PGP SIGNATURE-----
--- End Message ---
