Package: fusiondirectory Version: 1.3-3 Severity: grave Tags: security Justification: user security hole
As reported in https://github.com/fusiondirectory/fusiondirectory-plugins/issues/25 fusiondirectory stores the passwords for the Dovecot and Cyrus master accounts in LDAP in cleartext, on custom attiributes that would be exposed in an standard OpenLDAP installation. There is no warning about this, nor any mention in the documentation. Sadly, upstream seems hostile to the suggestion that this is a serious security issue, and refuse to even document this behaviour. Personally, I can't trust the software knowing this, but more importantly, there might be tons of compromised systems out there. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fusiondirectory depends on: ii apache2 [httpd] 2.4.38-3+deb10u3 ii debconf [debconf-2.0] 1.5.71 ii fusiondirectory-smarty3-acl-render 1.3-3 ii gettext 0.19.8.1-9 ii javascript-common 11 ii libarchive-extract-perl 0.80-1 ii libcrypt-cbc-perl 2.33-2 ii libfile-copy-recursive-perl 0.44-1 ii libjs-prototype 1.7.1-3 ii libjs-scriptaculous 1.9.0-2 ii libnet-ldap-perl 1:0.6500+dfsg-1 ii libpath-class-perl 0.37-1 ii libterm-readkey-perl 2.38-1 ii libxml-twig-perl 1:3.50-1.1 ii openssl 1.1.1d-0+deb10u3 ii perl [libdigest-sha-perl] 5.28.1-6 ii php 2:7.3+69 ii php-cas 1.3.6-1 ii php-curl 2:7.3+69 ii php-fpdf 3:1.8.1.dfsg-2 ii php-gd 2:7.3+69 ii php-imagick 3.4.3-4.1 ii php-imap 2:7.3+69 ii php-ldap 2:7.3+69 ii php-mbstring 2:7.3+69 ii php-xml 2:7.3+69 ii php7.3 [php] 7.3.19-1~deb10u1 ii php7.3-cli [php-cli] 7.3.19-1~deb10u1 ii php7.3-curl [php-curl] 7.3.19-1~deb10u1 ii php7.3-gd [php-gd] 7.3.19-1~deb10u1 ii php7.3-imap [php-imap] 7.3.19-1~deb10u1 ii php7.3-ldap [php-ldap] 7.3.19-1~deb10u1 ii php7.3-mbstring [php-mbstring] 7.3.19-1~deb10u1 ii php7.3-xml [php-xml] 7.3.19-1~deb10u1 ii schema2ldif 1.3-3 ii smarty-gettext 1.6.1-1 ii smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1 fusiondirectory recommends no packages. Versions of packages fusiondirectory suggests: pn argonaut-server <none> ii fusiondirectory-schema 1.3-3 ii slapd 2.4.47+dfsg-3+deb10u2 -- Configuration Files: /etc/fusiondirectory/fusiondirectory-apache.conf changed [not included] -- debconf information excluded