Your message dated Mon, 11 May 2009 19:19:15 +0100
with message-id <[email protected]>
and subject line ecartis has been removed from Debian, closing #348824
has caused the Debian Bug report #348824,
regarding ecartis: arbitrary web content security problem
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
348824: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348824
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ecartis
Version: 1.0.0+cvs.20030911-10
Severity: grave
Tags: security
Justification: user security hole
Matthias Kilian reported this problem to the ecartis-dev mailing list.
It probably affects ecartis in oldstable, stable, testing, and
unstable, but only when using the non-default option pantomime-dir.
It's a simple conceptional problem with pantomime: when pantomime-dir
is set, ecartis strips attachments not only from mails to
<$list>@<$hostname>, but also, from mails to <$list>-request@<$hostname>,
and may be from mails to other administrative addresses -- I did
only check for -requ...@.
This means that anyone could abuse ecartis lists with pantomime for
distributing arbitrary (illegal) content without beeing subscribed
to any mailinglist (even if all lists are closed-post) and without
the list-owner and anyone else noticing.
A solution would be to pantomime *only* on the mailing lists, not
on administrative addresses.
Upstream is working on a solution. It doesn't affect the current CVS
version only because pantomime is completely broken.
Workarounds would be to disable pantomime or have it decode files into
an inaccesable directory and move only approved files out.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ecartis depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii logrotate 3.7-5 Log rotation utility
ii sendmail-bin [mail-transpor 8.13.4-3 powerful, efficient, and scalable
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1.0.0+cvs.20060813-1+rm
The ecartis package has been removed from Debian so we are closing
the bugs that were still opened against it.
For more information about this package's removal, read
http://bugs.debian.org/494617 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
Kind regards,
--
Marco Rodrigues
--- End Message ---
