Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] [USN-88-1] reportbug information disclosure

from [Martin Pitt] Network Security [Permanent Link]
Subject: [Full-Disclosure] [USN-88-1] reportbug information disclosure
Date: Mon, 28 Feb 2005 13:52:36 +0100 
===========================================================
Ubuntu Security Notice USN-88-1           February 28, 2005
reportbug information disclosure
https://bugzilla.ubuntulinux.org/6600
https://bugzilla.ubuntulinux.org/6717
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

reportbug

The problem can be corrected by upgrading the affected package to
version 2.62ubuntu1.1.  In general, a standard system upgrade is
sufficient to effect the necessary changes. However, if your users
already have ~/.reportbugrc files with SMTP passwords, you need to
manually change their permissions with

  chmod 600 .reportbugrc

Details follow:

Rolf Leggewie discovered two information disclosure bugs in reportbug.

The per-user configuration file ~/.reportbugrc was created
world-readable. If it contained email smarthost passwords, these were
readable by any other user on the computer storing the home directory.

reportbug usually includes the settings from ~/.reportbugrc in
generated bug reports. This included the "smtppasswd" setting (the
password for an SMTP email smarthost) as well. The password is
now hidden from reports.

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/r/reportbug/reportbug_2.62ubuntu1.1.dsc
      Size/MD5:      540 19dab43ca7c942311e87ad5e48e32a39
    
http://security.ubuntu.com/ubuntu/pool/main/r/reportbug/reportbug_2.62ubuntu1.1.tar.gz
      Size/MD5:   115256 9b3fbec6a6974274068afb08835f0fdc

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/r/reportbug/reportbug_2.62ubuntu1.1_all.deb
      Size/MD5:   104630 f051c98020dffd1e8ae3253ab72e88ce

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] [USN-88-1] reportbug information disclosure, Martin Pitt <=
Previous by Date:  [Full-Disclosure] [USN-87-1] Cyrus IMAP server vulnerability, Martin Pitt
Next by Date:  [Full-Disclosure] [TURBOLINUX SECURITY INFO] 28/Feb/2005, Turbolinux
Previous by Thread:  [Full-Disclosure] [USN-87-1] Cyrus IMAP server vulnerability, Martin Pitt
Next by Thread:  [Full-Disclosure] [TURBOLINUX SECURITY INFO] 28/Feb/2005, Turbolinux
Indexes:  [Date] [Thread] [Top] [All Lists]