From johnm@gentoo.org Thu Oct  2 17:29:43 2003
From: John Mylchreest <johnm@gentoo.org>
To: security@gentoo.org, gentoo-announce@gentoo.org, bugtraq@securityfocus.com,
     full-disclosure@lists.netsys.com
Date: Thu, 02 Oct 2003 20:10:11 +0100
Subject: [Full-Disclosure] GLSA: vpopmail (200310-01)

GENTOO LINUX SECURITY ANNOUNCEMENT
---------------------------------------------------------------------
          PACKAGE : vpopmail
          SUMMARY : Insecure file permissions.
             DATE : 2003-10-02 18:28 UTC
          EXPLOIT : local
VERSIONS AFFECTED : <=5.2.1-r5
    FIXED VERSION : 5.2.1-r6
     GENTOO BUG # : 23502
              CVE : none known at present time
---------------------------------------------------------------------

DESCRIPTION:
The file /etc/vpopmail.conf which is distributed by versions of
vpopmail less than 5.2.1-r6 has insecure permissions when merged
with USE="mysql" causing it to be world readable.

This means that any local user is able to view the contents of this
file. The file contains unencrypted password information used to
access the MySQL database server to modify the vpopmail table 
information.

SOLUTION:
chmod 640 /etc/vpopmail.conf

emerge sync
emerge -u vpopmail -pv
emerge -u vpopmail
emerge clean

-- 

John Mylchreest.

Gentoo Linux:	 http://www.gentoo.org
Public Key:	 gpg --recv-keys 0xEAB9E721
		 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEAB9E721

Key fingerprint: 0670 E5E4 F461 806B 860A  2245 A40E 72EB EAB9 E721

    [ Part 2, "This is a digitally signed message part"  ]
    [ Application/PGP-SIGNATURE  196bytes. ]
    [ Unable to print this part. ]