retitle 506353 CVE-2008-5312/3: mailscanner might allow local users to overwrite arbitrary files via a symlink attack thanks
On Wednesday 03 December 2008, Simon Walter wrote: > > Hello, Hello, [...] > > I have put Julian Field (upstream author) in CC to inform him about > all this. (@Julian: the full bugreport is here [1]) > > If he is willing and able to fix the problems in a feature > release before lenny is released I will try to backport the fixes to > the current package in lenny. > > > Otherwise this package should be removed. > Ok, let's see what happens. > > I'm also wondering why [2] marks CVE-2008-5140 as fixed for > sid+lenny. It claims the bug was fix with 4.57.6-1, but there is no > difference between 4.55.10-3 and 4.57.6-1. Because the trend-autoupdate.new script was no longer shipped in 4.57.6-1, thereby "fixing" the problem, as to what Debian matters. For the other issues I reported on my original email which are not covered in CVE-2008-5140, the following two CVE ids have been assigned: CVE-2008-5312[C1] and CVE-2008-5313[C2]. Those are the ones that need to be fixed for this bug to get closed. Oh, and just to make sure everybody got the message: version in etch is vulnerable as well. I'm CC'ing the stable security team so that they comment on what to do with it. [C1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5312 http://security-tracker.debian.net/tracker/CVE-2008-5312 [C2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5313 http://security-tracker.debian.net/tracker/CVE-2008-5313 > > Sorry for the late reply. Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
