Package: bugs.debian.org Severity: critical Justification: root security hole
Full email headers are visible on "http://bugs.debian.org". This introduces several problems: 1) Privacy concerns. It is just not neccessary to keep anything except for the "From:" (and possibly "Sender:", and "Subject:") header line. Absolutely nobody is required to know the IP address the bug reporter is online with. 2) Simplified scanning for vulnerable boxes. The source IP will be exposed, an all IP addresses the email traversed, and those systems possibly exposed their MTA in the "Delivered to:" lines. This data gives priceless hints on the running system and patch levels. 3) Scenario: *1. Traverse all bug report, extract IP addresses. *2. Resolve IP addresses, check for static ranges. *3. Check those boxes for vulnerable software first. I believe that such an attack scenario is very well possible, though my concerns regarding privacy clearliy weigh heavier on my mind. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.10 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]