--- qpopper-4.0.4/debian/changelog	
+++ qpopper-4.0.4/debian/changelog	
@@ -1,3 +1,15 @@ 
+qpopper (4.0.4-2.woody.5) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied upstream patch to ensure that no group- or world-readable
+    files are created [popper/popauth.c, CAN-2005-1152]
+
+ -- Martin Schulze <joey@infodrom.org>  Wed, 20 Apr 2005 20:27:57 +0200
+
 qpopper (4.0.4-2.woody.4) stable-security; urgency=medium
 
   * Non-maintainer upload by the Security Team
--- qpopper-4.0.4.orig/popper/popauth.c
+++ qpopper-4.0.4/popper/popauth.c
@@ -669,6 +695,7 @@ 
 
     memset  ( &pop_pw, 0, sizeof(pop_pw) );
     memset  ( &my_pw,  0, sizeof(my_pw)  );
+    umask   ( 0077 ); /* make sure we don't create group- or world-writable files */
     srandom ( (unsigned int) time ( (TIME_T *) 0) );   /* seed random with the
                                                           current time */