Hi,
@racke, following your work at
https://github.com/sympa-community/sympa/pull/1015
it seems we'd need a new debconf question to ask the user whether they
want the setuid wrapper to be activated or not.
This could be added even before the pull request merged I think, as
toggling the setuid bit on the wrapper is equivalent to introducing
'alias_wrapper' + setting it of 'off' + removing the wrapper (IIUC).
What do you think?
If you're OK with this direction I can provide a patch, which I'll
probably backport to stretch to mitigate this vulnerability
(aka fix it for every MTA but sendmail AFAICS)
Cheers!
Sylvain Beucler
Debian LTS Team
