From owner-freebsd-doc@FreeBSD.ORG Sun Oct 30 21:37:43 2005 Return-Path: X-Original-To: doc@FreeBSD.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6134116A41F; Sun, 30 Oct 2005 21:37:43 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (cpe.atm2-0-71337.0x535ccf26.taanxx2.customer.tele.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC1C043D48; Sun, 30 Oct 2005 21:37:42 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 1A1DB118B2; Sun, 30 Oct 2005 22:37:41 +0100 (CET) Date: Sun, 30 Oct 2005 22:37:40 +0100 From: "Simon L. Nielsen" To: Simon Barner Message-ID: <20051030213739.GA891@zaphod.nitro.dk> References: <20051030195007.GB1451@zi025.glhnet.mhn.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline In-Reply-To: <20051030195007.GB1451@zi025.glhnet.mhn.de> User-Agent: Mutt/1.5.11 Cc: doc@FreeBSD.org Subject: Re: Please review: New vuln.xml entry for ports/mail/fetchmail X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Oct 2005 21:37:43 -0000 --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.10.30 20:50:07 +0100, Simon Barner wrote: > could you please review the attached patch? Looks good, except for a few minor issues (see below). > Index: vuln.xml > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v > retrieving revision 1.868 > diff -u -r1.868 vuln.xml > --- vuln.xml 27 Oct 2005 19:40:24 -0000 1.868 > +++ vuln.xml 30 Oct 2005 19:47:37 -0000 > @@ -34,6 +34,36 @@ > =20 > --> > > + > + fetchmailconf -- password exposure through insecure file crea= tion This first part is the portname by convention. I would suggest the following to avoid getting the topic too long. fetchmail -- fetchmailconf local password exposure > + > + > + fetchmail > + 6.2.5.2_1 > + > + > + =20 ^ EOL whitespace > + > +

From the fetchmail home page:

> +

> +
The fetchmailconf program before and excluding version 1.49 opened= the > + run control file, wrote the configuration to it, and only then chan= ged > + the mode to 0600 (rw-------). Writing the file, which usually conta= ins > + passwords, before making it unreadable to other users, can expose > + sensitive password information.
> +

> + > + > + > + CVE-2005-3088 > + http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt > + > + > + 2005-10-21 > + 2005-10-30 > + > + > + =20 ^^ EOL whitespace > > ruby -- vulnerability in the safe level settings > --=20 Simon L. Nielsen FreeBSD Security Team --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDZT0jh9pcDSc1mlERAiFUAJ96OJqONHmBL++Ljog8rxAQr4gS1wCfa1Pw 5y/nVvA4RdNI9TakhQiCed0= =pxNT -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl--