Secure testing team - Feb 2010 - Bug#568925: esmtp: configuration file world-readable

Package: esmtp
Version: 0.6.0-1
Severity: critical
Tags: security
Justification: root security hole

The configuration file for esmtp is installed world-readable.  This is a
security
hole since it may contain user/password combinations for remote mail servers.
This
is even likely to be generally the case.

I report this from my Ubuntu machine after checking the Debian Changelog did not
contain any reference to this being fixed.  After looking at esmtp.postinst from
the Debian package I am also reasonably confident that this issue is still
present in the latest unstable package.  Please accept my apologies should that
not be the case.
-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, ''karmic-updates''), (500,
''karmic-security''), (500, ''karmic'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-11-generic (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages esmtp depends on:
ii  debconf [debconf-2.0]   1.5.27ubuntu2    Debian configuration management sy
ii  libc6                   2.10.1-0ubuntu16 GNU C Library: Shared libraries
ii  libesmtp5               1.0.4-2          LibESMTP SMTP client library

Versions of packages esmtp recommends:
ii  esmtp-run                     0.6.0-1    User configurable relay-only MTA

Versions of packages esmtp suggests:
pn  procmail | maildrop | deliver <none>     (no description available)

-- debconf information excluded