On Sun, 2005-08-28 at 10:22 +0100, Steve Kemp wrote:
> On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:
>
> > > Certainly. Once the advisory is out I can make an upload if Joy
> > > hasn't already made one.
> > >
> >
> > I can also do an upload; Joy already said I should comai
Andres Salomon wrote:
> On Sun, 2005-08-28 at 10:22 +0100, Steve Kemp wrote:
> > On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:
> >
> > > > Certainly. Once the advisory is out I can make an upload if Joy
> > > > hasn't already made one.
> > > >
> > >
> > > I can also do an u
On Sun, 28 Aug 2005 13:00:19 +0200
Martin Schulze <[EMAIL PROTECTED]> wrote:
> Andres Salomon wrote:
> > On Sat, 2005-08-27 at 11:42 +0100, Steve Kemp wrote:
> > > On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
> > >
> > > > Thanks a lot for the report. This is CAN-2005-2655.
>
Andres Salomon wrote:
> On Sat, 2005-08-27 at 11:42 +0100, Steve Kemp wrote:
> > On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
> >
> > > Thanks a lot for the report. This is CAN-2005-2655.
> > >
> > > > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > >
On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:
> > Certainly. Once the advisory is out I can make an upload if Joy
> > hasn't already made one.
> >
>
> I can also do an upload; Joy already said I should comaintain, I've just
> been waiting for racke to do a new courier uploa
On Sat, 2005-08-27 at 11:42 +0100, Steve Kemp wrote:
> On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
>
> > Thanks a lot for the report. This is CAN-2005-2655.
> >
> > > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > > and should be easy to fix: Just a
Max Vozeler wrote:
> Short description:
> lockmail.maildrop (setgid mail) lets the user specify a program and
> execvp()s it, but does not drop egid mail privilege before doing so.
> This opens a trivial privilege escalation (see "poc") to group mail.
Thanks a lot for the report. This is CAN-200
On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
> Thanks a lot for the report. This is CAN-2005-2655.
>
> > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > and should be easy to fix: Just add setgid(getgid()) before the
> > execvp(). I tested the attache
Package: maildrop
Version: 1.5.3-1.1
Severity: critical
Justification: local privilege escalation
Tags: security sarge sid patch
Hi Josip,
I've already tried to contact you about this, but have not heard
from you. I'm filing it now to keep track. Please refer to message
<[EMAIL PROTECTED]> for fu
9 matches
Mail list logo
