Package: quassel-client Version: 1:0.12.2-2 Severity: grave Tags: security Justification: user security hole
As I was trying to setup CertFP I had a look at ~/.config/quassel-irc.org and noticed the following: -rw-r--r-- 1 diederik diederik 8101 nov 28 03:01 quasselclient.conf Looking into that file I could easily see my password and that combined with the security settings of that file did not make me happy. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages quassel-client depends on: ii dbus-x11 1.10.4-1 ii gawk 1:4.1.1+dfsg-1 ii libc6 2.19-22 ii libdbusmenu-qt5-2 0.9.3+15.10.20150604-1 ii libkf5configwidgets5 5.15.0-1 ii libkf5coreaddons5 5.15.0-1 ii libkf5notifications5 5.15.0-1 ii libkf5notifyconfig5 5.15.0-1 ii libkf5sonnetui5 5.15.0-1 ii libkf5textwidgets5 5.15.0-1 ii libkf5widgetsaddons5 5.15.0-1 ii libkf5xmlgui5 5.15.0-1 ii libphonon4qt5-4 4:4.8.3-2 ii libqt5core5a 5.5.1+dfsg-8 ii libqt5dbus5 5.5.1+dfsg-8 ii libqt5gui5 5.5.1+dfsg-8 ii libqt5network5 5.5.1+dfsg-8 ii libqt5webkit5 5.5.1+dfsg-2 ii libqt5widgets5 5.5.1+dfsg-8 ii libstdc++6 5.2.1-26 ii phonon4qt5 4:4.8.3-2 ii quassel-data 1:0.12.2-2 ii zlib1g 1:1.2.8.dfsg-2+b1 quassel-client recommends no packages. quassel-client suggests no packages. -- no debconf information _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team