[Pkg-mailman-hackers] Bug#803161: Bug#803161: mailman: /var/log/mailman/* world-readable by default, leaking sensitive list information

[Thorsten Glaser]

On Tue, 27 Oct 2015, Dominik George wrote:

> >This issue can be considered a security vulnerability, but it is
> >certainly not a rot security hole, hence lowering the severity.

> root (or another privileged system account), or *data normally
> accessible only by such accounts*“

By default, the mailman configuration is such that:

– everyone can subscribe themselves to a mailing list (even remotely)
– mailing list subscriber information is visible to list members

AFAICT there is no information in the mailman logs that is more
critical than the identity of the subscribers.

We’re in agreement that the default (log visibility) could be better,
but I’m with Florian here: in the default configuration, this does
not disclose any data not already disclosed, so this is not of such
a high severity.

Now let’s stop discussing severity… bugs are bugs, and all bugs
ought to be fixed. This merely says “this bug isn’t such a grave
showstopper that the package should be pulled from stretch ASAP”.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg