Bug#336979: marked as done (exim4: Using courier_authdaemon authentication accepts wrong passwords)

Debian Bug Tracking System owner at bugs.debian.org
Wed Nov 2 22:48:42 UTC 2005 

Your message dated Wed, 02 Nov 2005 14:32:25 -0800
with message-id <E1EXR9d-0005fU-00 at spohr.debian.org>
and subject line Bug#336979: fixed in exim4 4.54-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Nov 2005 00:37:39 +0000
>From info at peter-thomassen.de Tue Nov 01 16:37:39 2005
Return-path: <info at peter-thomassen.de>
Received: from a4a.de [195.225.198.14] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EX6dH-00052U-00; Tue, 01 Nov 2005 16:37:39 -0800
Received: from peter by a4a.de with local (Exim 4.54)
	id 1EX6dD-0002ng-Qi; Wed, 02 Nov 2005 01:37:35 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Peter Thomassen <info at peter-thomassen.de>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: exim4: Using courier_authdaemon authentication accepts wrong passwords
X-Mailer: reportbug 3.17
Date: Wed, 02 Nov 2005 01:37:35 +0100
Message-Id: <E1EX6dD-0002ng-Qi at a4a.de>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: info at peter-thomassen.de
X-SA-Exim-Scanned: No (on a4a.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: exim4
Version: 4.54-1
Severity: normal

When using plain_courier_authdaemon or login_courier_authdaemon
authentication, wrong passwords are accepted (but only correct
usernames).

According to [1], this is Debian-specific.
  [1]: http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php

[2] gives another server_condition which is claimed to not raise this
problem, but I cannot verify that because I just don't understand it.
  [2]: http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730

Since this allows unauthorized people to authenticate with Exim, this is
a security hole (critical).

-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

---------------------------------------
Received: (at 336979-close) by bugs.debian.org; 2 Nov 2005 22:38:00 +0000
>From katie at spohr.debian.org Wed Nov 02 14:38:00 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EXR9d-0005fU-00; Wed, 02 Nov 2005 14:32:25 -0800
From: Marc Haber <mh+debian-packages at zugschlus.de>
To: 336979-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#336979: fixed in exim4 4.54-2
Message-Id: <E1EXR9d-0005fU-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Wed, 02 Nov 2005 14:32:25 -0800
Delivered-To: 336979-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: exim4
Source-Version: 4.54-2

We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive:

exim4-base_4.54-2_i386.deb
  to pool/main/e/exim4/exim4-base_4.54-2_i386.deb
exim4-config_4.54-2_all.deb
  to pool/main/e/exim4/exim4-config_4.54-2_all.deb
exim4-daemon-heavy_4.54-2_i386.deb
  to pool/main/e/exim4/exim4-daemon-heavy_4.54-2_i386.deb
exim4-daemon-light_4.54-2_i386.deb
  to pool/main/e/exim4/exim4-daemon-light_4.54-2_i386.deb
exim4_4.54-2.diff.gz
  to pool/main/e/exim4/exim4_4.54-2.diff.gz
exim4_4.54-2.dsc
  to pool/main/e/exim4/exim4_4.54-2.dsc
exim4_4.54-2_all.deb
  to pool/main/e/exim4/exim4_4.54-2_all.deb
eximon4_4.54-2_i386.deb
  to pool/main/e/exim4/eximon4_4.54-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336979 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages at zugschlus.de> (supplier of updated exim4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  2 Nov 2005 19:40:22 +0000
Source: exim4
Binary: eximon4 exim4-daemon-custom exim4-daemon-heavy exim4-base exim4 exim4-daemon-light exim4-config
Architecture: source i386 all
Version: 4.54-2
Distribution: unstable
Urgency: low
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers at lists.alioth.debian.org>
Changed-By: Marc Haber <mh+debian-packages at zugschlus.de>
Description: 
 exim4      - metapackage to ease exim MTA (v4) installation
 exim4-base - support files for all exim MTA (v4) packages
 exim4-config - configuration for the exim MTA (v4)
 exim4-daemon-heavy - exim MTA (v4) daemon with extended features, including exiscan-ac
 exim4-daemon-light - lightweight exim MTA (v4) daemon
 eximon4    - monitor application for the exim MTA (v4) (X11 interface)
Closes: 336979
Changes: 
 exim4 (4.54-2) unstable; urgency=low
 .
   * debian/README.Debian* merged into one xml-file. Binary packages ship both
     a html (generated by xsltproc) and plain-text version (lynx +
     post processing) of the file. (Hilko Bengen)
   * Switch to libmysqlclient14.
   * Fix two typos in French debconf templates.
     Thanks to Christian Perrier. (mh)
   * Replace broken courier auth example with one that actually denies
     access if a wrong password is given. Thanks to Peter Thomassen for
     carrying that report from some colorful web forum to the people who
     can fix it after like four months. (mh) Closes: #336979
   * Fix minor typos in README.Debian.xml and changelog. (mh)
   * Add 255.255.255.255 to ignore_target_hosts in dnslookup. (mh)
Files: 
 b869e4dfced1d20074ef885120df7213 1051 mail standard exim4_4.54-2.dsc
 fe9845c5b3e41374d1c0b883887f544c 319802 mail standard exim4_4.54-2.diff.gz
 d5bd96234693870f0c9632296b128929 862498 mail standard exim4-base_4.54-2_i386.deb
 6e709e71ead494346cc51e8a46e35390 380530 mail standard exim4-daemon-light_4.54-2_i386.deb
 9514efebfe8f822ae9d048db91c8f04f 81178 mail optional eximon4_4.54-2_i386.deb
 5893890f2dfc1ef8eb76c8df7d3d1668 430176 mail optional exim4-daemon-heavy_4.54-2_i386.deb
 5c93a1c7d106a21e757df03d159a3125 258326 mail standard exim4-config_4.54-2_all.deb
 4eabf383ab15bafd4541189ca24013e3 2982 mail standard exim4_4.54-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iEYEARECAAYFAkNpGfkACgkQgZalRGu6PITrfACgiMUaQokeOVTPUrpmZiRBe3Bb
LDAAn3rx5nFkcLm1PSVEL7xIPTN7nVgb
=LqNS
-----END PGP SIGNATURE-----

More information about the Pkg-exim4-maintainers mailing list