[Pkg-mailman-hackers] Bug#803161: mailman: /var/log/mailman/* world-readable by default, leaking sensitive list information
Florian Weimer
fw at deneb.enyo.de
Tue Oct 27 17:31:12 UTC 2015
severity 803161 normal
thanks
* Dominik George:
> Severity: critical
> Tags: security
> Justification: root security hole
>
> The log files of mailman, residing in /var/lib/mailman/log and in
> /var/log/mailman, and the log directory itself are created
> world-readable by default. This discloses sensitive information about
> list users, for example e-mail addresses and full names in the subscribe
> log, to all unprivileged system users that have shell or filesystem
> access.
This issue can be considered a security vulnerability, but it is
certainly not a rot security hole, hence lowering the severity.
Florian
More information about the Pkg-mailman-hackers
mailing list