Package: pootle Version: 1.1.0-1 Severity: important Tags: patch security In the subscription confirmation emails, the password is set to the users. These mails are not encrypted, which will provide both the activation code and the password of the new users.
This can be fixed by hardcoding the password (XXXXXX) in the mail. This security issue has no implication on the system, only on the data handled by Pootle. see: http://lists.debian.org/debian-i18n/2008/08/msg00013.html -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pootle depends on: ii adduser 3.108 add and remove users and groups ii python 2.5.2-2 An interactive high-level object-o ii python-central 0.6.8 register and build utility for Pyt ii python-jtoolkit 0.7.8-4 Web application framework ii python-lxml 2.1.1-1 pythonic binding for the libxml2 a ii translate-toolkit 1.1.1-3 Toolkit assisting in the localizat pootle recommends no packages. pootle suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]