The file /etc/nullmailer/remotes contains plaintext passwords to remote smtp severs. I think it would be a good idea to install it with more restrictive permissions. I tried with root:nullmail / 0640 and it seems that everything works without any issues. The ebuild for mail-mta/ssmtp does a similar thing for its equivalent file. Here's the relevant snippet from that ebuild: if ! use prefix; then fowners root:ssmtp /etc/ssmtp/ssmtp.conf fperms 640 /etc/ssmtp/ssmtp.conf fi
This becomes a security bug from now, thanks for the report
InCVS. Arches, please stabilize nullmailer-1.11-r2. Target keywords: amd64 ppc x86
amd64 stable
ppc stable
x86 stable
Thanks for your work GLSA vote: no
+*nullmailer-1.13-r2 (25 Sep 2013) + + 25 Sep 2013; Justin Lecher <jlec@gentoo.org> -nullmailer-1.11.ebuild, + -nullmailer-1.11-r1.ebuild, nullmailer-1.11-r2.ebuild, + nullmailer-1.11-r3.ebuild, -nullmailer-1.13.ebuild, + -nullmailer-1.13-r1.ebuild, +nullmailer-1.13-r2.ebuild, + +files/init.d-nullmailer-r3: + Drop old vulnerable versions, #480376; respect AR, #480394; make paludis + happy, #462846 thanks Thomas Witt for the patch; fix broken openrc + initscript, #480354 + Removed all versions in question.
GLSA vote: no. Closing noglsa.