Your message dated Wed, 11 Jun 2025 15:40:45 -0700
with message-id <4862509.1oUyQt6lIG@soren-desktop>
and subject line courier-authlib: CVE-2021-28374: /run/courier/authdaemon
directory with weak permissions
has caused the Debian Bug report #984810,
regarding courier-authlib: CVE-2021-28374: /run/courier/authdaemon directory
with weak permissions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
984810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: courier-authlib
Version: 0.71.0-1
Tags: upstream security buster stretch bullseye
Justification: user security hole
Severity: grave
Usertags: security
The /usr/sbin/auth is a program that can test from a
installation setup if authlib daemon are working
without the complete courier suite installed
(for cluster or distributed environment as i made it)
Currently as normal user, it can be accessed
to users database if we setup mysql, postgres
or sqlite, inclusively ldap setups.. i mean,
a limited account can query users mail data
to made some kind of attack
This information is reveal from DB:
serveruno:$ authtest test
Authentication succeeded.
Authenticated: test (uid 244, gid 244)
Home Directory: /home/users/intranetusers/test
Maildir: /home/users/intranetusers/test/Maildir
Quota: (none)
Encrypted Password: {MD5RAW}34ca4238a0b923820dcc509a6f75849b
Cleartext Password: 1
Options: (none)
Of course clear password is a good practice do not store ..
but in intranets and corporate environments
knowed password are mandatory due management
of users..
In any case, this information is too open,
We used the authpasswd to check users db
setup is working on changes and upgrades
For this upgrade from a stable installation
to proper test lasted version before send this report,
the problem is present in all the versions of debian
packaged
I asked to upstream but is so obvious this problem
so i send to Debian,a sense solution is limit the
access to program (what i do):
chmod 750 /usr/sbin/authtest
chown courier:root /usr/sbin/authtest
i already ask to upstream but i dont know what SAm will think about it!
ADDITIONAL NOTE: the package that own the program is authlib.. this
is completely wrong.. cos important setup is not retrieved by
reportbug like the authdaemon setup files modified.. the
/usr/sbin/authenumerate /usr/sbin/authpasswd and /usr/sbin/authtest
must belong to authdaemon (to make sense)
Kernel: Linux 5.10.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages courier-authlib depends on:
ii adduser 3.118
ii libc6 2.31-9
ii libgcc-s1 10.2.1-6
ii libgdbm6 1.19-2
ii libltdl7 2.4.6-15
ii libpam0g 1.4.0-6
ii libstdc++6 10.2.1-6
Versions of packages courier-authlib recommends:
pn expect <none>
courier-authlib suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
I am closing this bug report as there was no response to my previous message.
Feel free to reopen it if it still applies.
--
Soren Stoutner
[email protected]
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
