-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: logwatch Version: 7.4.3+git20161207-1 Severity: critical
Current logwatch did change from sending mails with charset iso-8859-1 to UTF-8. This openes up a potential security hole as UTF-8 is not able to display all 8bit data. This is especially true as the output from logwatch is from untrusted source where there could easily put some malicious content in. Logwatch does nothing to cleanup the mail content or convert it from the native charset to UTF-8. Note that this bug went in recently as 7.4.0 did not have this bug (neither does 7.4.1). I do not find any upstream changelog in the package and when I download it from upstream directly, I cannot find any note of this breaking change. - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.10 (SMP w/8 CPU cores) Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages logwatch depends on: ii exim4-daemon-light [mail-transport-agent] 4.88~RC6-2 pn perl:any <none> Versions of packages logwatch recommends: ii libdate-manip-perl 6.56-1 ii libsys-cpu-perl 0.61-2+b1 pn libsys-meminfo-perl <none> Versions of packages logwatch suggests: ii fortune-mod 1:1.99.1-7 - -- no debconf information - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Comment: Charset: ISO-8859-1 iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlhjgU0ACgkQpnwKsYAZ 9qzmVgwApEE7ee5wf0J7W3ibcGSGiPE0WHRDdrYhuE4Bew7uIlefvj1vil2RgbzN nm4SSn0CyCfSnvbWZA1SROaGWVApJLP7TOJRn3KioJm6N29SqXwJbGq6XD1HRNea woBsTGugHFoBOjVbpMe72dO2batal1xl2e8wQKKHuqSkkeGwAgl0oA7OgKgZ51gi 9A9fZaNfsWekMJzlGd8m3bmPQp32qRywxtkAQ6t+DEwABgdvPv05HB42CXBpbzrh QrXm6a64v/GPSs2uq4+Fjpi9/uXSExUTSqj/M2pJ14u10rD3n9Yghmkwc2290CIJ xHYQgdCm2EMpPRyb9pcJknIzE43oQkdNCTcqMyw62FO6hKKX3j0/b9md9AfH/tZn xbEkjd8HSyCY158QTPNHEro7klxoznjCLTj1dLaZH3HWTYpovpoBbJ9ecABaj4YJ tphX/wy46GL35PLJUnDcGgEgNavsbPpt/jiBYy2Q/FCPEg5DTJAXIh6RDNrCHsoY oH/vHcPf =Zlgb -----END PGP SIGNATURE-----