Your message dated Sat, 21 Jan 2017 17:03:54 +0000
with message-id <[email protected]>
and subject line Bug#849531: fixed in logwatch 7.4.3+git20161207-2
has caused the Debian Bug report #849531,
regarding Possible security problem, new logwatch sends mails with charset UTF-8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
849531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849531
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: logwatch
Version: 7.4.3+git20161207-1
Severity: critical
Current logwatch did change from sending mails with charset iso-8859-1
to UTF-8. This openes up a potential security hole as UTF-8 is not able
to display all 8bit data.
This is especially true as the output from logwatch is from untrusted
source where there could easily put some malicious content in. Logwatch
does nothing to cleanup the mail content or convert it from the native
charset to UTF-8.
Note that this bug went in recently as 7.4.0 did not have this bug
(neither does 7.4.1). I do not find any upstream changelog in the
package and when I download it from upstream directly, I cannot find any
note of this breaking change.
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.10 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages logwatch depends on:
ii exim4-daemon-light [mail-transport-agent] 4.88~RC6-2
pn perl:any <none>
Versions of packages logwatch recommends:
ii libdate-manip-perl 6.56-1
ii libsys-cpu-perl 0.61-2+b1
pn libsys-meminfo-perl <none>
Versions of packages logwatch suggests:
ii fortune-mod 1:1.99.1-7
- -- no debconf information
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1
iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlhjgU0ACgkQpnwKsYAZ
9qzmVgwApEE7ee5wf0J7W3ibcGSGiPE0WHRDdrYhuE4Bew7uIlefvj1vil2RgbzN
nm4SSn0CyCfSnvbWZA1SROaGWVApJLP7TOJRn3KioJm6N29SqXwJbGq6XD1HRNea
woBsTGugHFoBOjVbpMe72dO2batal1xl2e8wQKKHuqSkkeGwAgl0oA7OgKgZ51gi
9A9fZaNfsWekMJzlGd8m3bmPQp32qRywxtkAQ6t+DEwABgdvPv05HB42CXBpbzrh
QrXm6a64v/GPSs2uq4+Fjpi9/uXSExUTSqj/M2pJ14u10rD3n9Yghmkwc2290CIJ
xHYQgdCm2EMpPRyb9pcJknIzE43oQkdNCTcqMyw62FO6hKKX3j0/b9md9AfH/tZn
xbEkjd8HSyCY158QTPNHEro7klxoznjCLTj1dLaZH3HWTYpovpoBbJ9ecABaj4YJ
tphX/wy46GL35PLJUnDcGgEgNavsbPpt/jiBYy2Q/FCPEg5DTJAXIh6RDNrCHsoY
oH/vHcPf
=Zlgb
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: logwatch
Source-Version: 7.4.3+git20161207-2
We believe that the bug you reported is fixed in the latest version of
logwatch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Willi Mann <[email protected]> (supplier of updated logwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Jan 2017 17:44:03 +0100
Source: logwatch
Binary: logwatch
Architecture: source
Version: 7.4.3+git20161207-2
Distribution: unstable
Urgency: medium
Maintainer: Willi Mann <[email protected]>
Changed-By: Willi Mann <[email protected]>
Description:
logwatch - log analyser with nice output written in Perl
Closes: 849531
Changes:
logwatch (7.4.3+git20161207-2) unstable; urgency=medium
.
* Revert upstream's change of the declared mail charset.
The declared mail charset in mails from Logwatch was recently changed from
iso-8859-1 to utf-8. This commit reverts this change to address concerns
about invalid UTF-8 encodings. (closes: 849531)
Checksums-Sha1:
7ca3669028a6bde12ec92ca76e0fc7a6f78ec85e 1906 logwatch_7.4.3+git20161207-2.dsc
ab8d18404ec57de87be1010e029bc5b20b85d7dd 18588
logwatch_7.4.3+git20161207-2.debian.tar.xz
Checksums-Sha256:
708b0c3563b595909dc3adfa9c46d63483b4a5a406a67411a827933e870bb79b 1906
logwatch_7.4.3+git20161207-2.dsc
4e9a3a4cbb44686e850ddc7c14980f3d8de9febcd94d854b6ac33ba997cc373e 18588
logwatch_7.4.3+git20161207-2.debian.tar.xz
Files:
7db6301e109d4faf7aa3dd3e6e333f32 1906 admin optional
logwatch_7.4.3+git20161207-2.dsc
34fc6c454c0cb72ecf4508201bca8bb2 18588 admin optional
logwatch_7.4.3+git20161207-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYg4/lAAoJEIy+IZx0V22BLkIQAMZ5p3spCDG/RfxNTfhpQIsl
4Om/oAx46wxpO3fvflW/wJh/J7Rm2ffF390y1z8mARvML+y8AEbPYh0HuUQMJmrR
oABwkZI7u4VQ+ud+cK64J3Jr9i/8QkXIVcZ1qb0npbuAaRXfyiNWwc3afrMDhv8p
K4ji7nxQy9nrMbniuWyiTP5TMeSD1ipKOaomdngPPqrcxL8k3sp59uogDGRvV8FJ
m0mP4fW52mMFnzieDxthoWrISlC4AZfzXSrGp82zvk1vJ+WmJg7qwOIDmkhiyXJA
SxsBti6LKciuvlPKuhP6DNECYM55G1juhGGrwPhXHdewVxef+2aHq0C+lokBCjf2
FIFtOkLq5I1Pm106ZiVV7PXbblj3PZze1TykA0r8sNx+HCyxbsc4kkhxiw4DvA75
ALrtwqcoc3OeJg4/Z1p8mcXCXEJexQ0H/qPj8jLtrqrC0Jlli2SrcgF48ax0QWlS
Q/R7GqjPfYMQxICtuk6Iub9LpljhwG1+5quFYolG/SPmEYt7triNjRexUhLdtj4d
S2KoSEIoILRTgEuuoWW8RpqOqjs14+VEO/uP/lDK5GShjzvG6JYajdR2FNKKn/3h
neOFyrwKcq8+myjuM/AdHigpuKQ+QeQC50fMurKYDtMhJO4GVvDw19JlkhMStRbX
o6BvmRUYL1N45rDgXaH5
=4Yrd
-----END PGP SIGNATURE-----
--- End Message ---
