Bug#506353: lenny removal requests

Wed, 24 Dec 2008 08:32:00 -0800 


I'm forwarding this I got from Julian (mailscanner upstream).

G.
----- Original Message ----- From: "Julian Field" <mailscan...@ecs.soton.ac.uk> 
To: "Gabor FUNK" <funk.ga...@hunetkft.hu>
Sent: Wednesday, December 24, 2008 3:27 PM
Subject: Re: Bug#506353: lenny removal requests

The vulnerabilities in MailScanner have all been fixed.

On 24/12/08 10:20, Gabor FUNK wrote:

so here are three RC bugs with maintainers clearly indicating that they
don't want the buggy packages to release and none look like they will be
fixed. The package do not have reverse dependencies, so they seem to be
good for removal.
....
mailscanner #506353
 The maintainer Simon Walter writes:
   In the current state the package should not be part of
   the lenny release.
   I'm in no position to fix all this. I'm not familiar enough with
   the MailScanner sourcecode and I'm not able to test the changes I
   would have to make, in particular to all the virusscanner scripts.
 upstream apparently does not seem to, let's say, consider the tempfile
 vulnerability a bug and does not seem to want to fix it.


The mailscanner temp vulnerability seems to be fixed in upstream:

---
http://www.mailscanner.info/ChangeLog
18/12/2008 New in Version 4.74.11-1
...
* Fixes *
2 Major work on removing symlink attack vulnerabilities affecting -autoupdate 
 lock files.
Note: This vulnerability only affected systems where normal interactive users could log in to the system, or create arbitrary symlinks in your filesystem. So the ISP-style setups were never vulnerable, as they didn't allow normal users to login or allow people to arbitrarily create symlinks in the filesystem. 
2 Removed symlink attack vulnerabilities in SpamAssassin
---

Or are there more?

G.


Jules

--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at ju...@jules.fm

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to