After evaluating dependencies, required further changes and mostly
maintainability for security and packaging it was decided there are too
many concerns - not about any single package in particular, but the
overall Mailman3 stack - about the ability to maintain and monitor it as
well as we need it
** Changed in: python-aiosmtpd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820212
Title:
[MIR] python-aiosmtpd as de
I reviewed python-aiosmtpd version 1.2-3 as checked into eoan as of this
writing.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.
python-aiosmtpd is an asyncio based SMTP server.
- Last commit from March
- No CVE history
- Build-depends:
- debhelper,
- dh
On Sat, May 11, 2019 at 5:15 AM Seth Arnold <1820...@bugs.launchpad.net> wrote:
>
> Eduardo is taking a look at this package for the security team and
> pointed out that it is doing a setuid to user 'nobody'.
>
> This isn't a safe design. User nobody is strictly for NFS's use and must
> not be used
Eduardo is taking a look at this package for the security team and
pointed out that it is doing a setuid to user 'nobody'.
This isn't a safe design. User nobody is strictly for NFS's use and must
not be used by any running processes on the system.
This service probably needs its own user account.
[Duplication]
No duplication of that functionality in the Archive in general or main in
particular.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package does not statically link to libraries.
No Go package
[Security]
I can confirm that there
