Package: mailman Version: 1:2.1.18-2 Severity: critical Tags: security Justification: root security hole
The log files of mailman, residing in /var/lib/mailman/log and in /var/log/mailman, and the log directory itself are created world-readable by default. This discloses sensitive information about list users, for example e-mail addresses and full names in the subscribe log, to all unprivileged system users that have shell or filesystem access. -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mailman depends on: ii apache2 [httpd] 2.4.10-10+deb8u3 ii apache2-mpm-prefork [httpd] 2.4.10-10+deb8u3 ii apache2-mpm-worker [httpd] 2.4.10-10+deb8u3 ii cron 3.0pl1-127+deb8u1 ii debconf [debconf-2.0] 1.5.56 ii libc6 2.19-18+deb8u1 ii logrotate 3.8.7-1+b1 ii lsb-base 4.1+Debian13+nmu1 ii python-dnspython 1.12.0-1 pn python:any <none> ii ucf 3.0030 Versions of packages mailman recommends: ii postfix [mail-transport-agent] 2.11.3-1 Versions of packages mailman suggests: ii listadmin 2.40-4 ii lynx 2.8.9dev1-2+deb8u1 ii spamassassin 3.4.0-6 -- Configuration Files: /etc/mailman/apache.conf changed [not included] -- debconf information excluded