Hide Forgot
An information disclosure flaw was found in the way swaks, a command-line Swiss Army Knife SMTP transaction tester, performed management of passwords, provided on the command-line, when the -a (authenticate) option was used (the password has been displayed back in plaintext form to the relevant output file handle without being filtered first). A local attacker could use this flaw to potentially obtain plaintext form of passwords, the particular swaks SMTP user in question (victim) was using for different (swaks supported) authentication types. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650024
This issue affects the versions of the swaks package, as shipped with Fedora EPEL 4, 5, and 6 releases. Please schedule an update once appropriate upstream patch / release available. -- This issue affects the versions of the swaks package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update once appropriate upstream patch / release available.
Created swaks tracking bugs for this issue Affects: fedora-all [bug 757672] Affects: epel-all [bug 757673]
Red Hat Security Response Team does not consider this deficiency to be a security flaw.
Any chance someone could explain to me just what went on here? Why would the security team open bugs only to close them afterwards? It's never been any secret that swaks echoed back password input so I'm kind of puzzled as to why this is coming up now.