Hello, There has recently been announced a security hole in Elm on bugtraq and subsequently on linux-security that could lead to unauthorized to, at minimum, the mail spool for every user on the system.
Debian's default Elm for stable (1.2.x) is Elm. This version of Elm is vulnerable. The default mailer for frozen (upcoming 1.3 release) and unstable (continuing development), Elm-ME+ (an enhanced version of Elm), is also vulnerable. I have patched Elm-ME+ to fix this problem. I have released the packages into stable, frozen, and unstable. In addition, the latest Elm-ME+ is always available via anonymous FTP from: ftp://happy.cs.twsu.edu/pub/Debian/binaries The fixed version of Elm-ME+, elm-me+_2.4pl25ME+31-5_i386.deb, is available for immediate download at: ftp://happy.cs.twsu.edu/pub/Debian/binaries/elm-me+_2.4pl25ME+31-5_i386.deb (wow....what a URL!!) I would advise people to upgrade to the latest Elm-ME+. Those people running Elm and not Elm-ME+ -- Elm-ME+ fixes a number of other bugs as well, so it wouldn't hurt to upgrade. To the webmaster -- please announce this on the security page. Thanks, John Goerzen -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
