On 11/5/20 3:19 PM, Sylvain Beucler wrote: > Hi, > > @racke, following your work at > https://github.com/sympa-community/sympa/pull/1015 > it seems we'd need a new debconf question to ask the user whether they want > the setuid wrapper to be activated or not. >
Yes, good idea. But it would make sense to add some more documentation and
maybe we can also ask about the mail server
in use. E.g. with Exim you don't need to run the alias command at all.
> This could be added even before the pull request merged I think, as toggling
> the setuid bit on the wrapper is equivalent
> to introducing 'alias_wrapper' + setting it of 'off' + removing the wrapper
> (IIUC).
>
My plan was to release 6.2.58 with that patch, as it is a no-op unless you turn
alias_wrapper off.
Regards
Racke
> What do you think?
>
> If you're OK with this direction I can provide a patch, which I'll probably
> backport to stretch to mitigate this
> vulnerability
> (aka fix it for every MTA but sendmail AFAICS)
>
> Cheers!
> Sylvain Beucler
> Debian LTS Team
>
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
OpenPGP_0x5B93015BFA2720F8.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
