Bug#160813: marked as done (cgiemail:/etc/cgiemail.conf is not consulted)
Colin Watson <cjwatson@debian.org> writes:
> On Sat, Sep 28, 2002 at 06:33:18AM -0500, Debian Bug Tracking System wrote:
> > cgiemail (1.6-15) unstable; urgency=low
> > .
> > * QA upload.
> > * Null-terminate templatedir, and make sure it really does get checked
> > (closes: #160813).
>
> Sorry, this should have been urgency=high.
>
> I think a stable-security upload will be needed as well. Here's the
> relevant part of the diff I used:
[...]
While you're at it, please make sure cgiemail doesn't accept templates
when there is no /etc/cgiemail.conf. As it is, the vulnerability is
still open between unpacking and configuration.
Also, I think cgiemail.pod lacks the structure and the style of a man
page, and makes us look really lazy. :-) Bug#6302, the reason it was
written, was submitted back when the binaries were in /usr/bin; since
the user doesn't invoke them directly, we can do without it.
BTW, the postrm should remove /etc/cgiemail.conf.
Thanks,
Matej
Reply to: