[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities

On Mon, Apr 08, 2002 at 10:36:31AM -0400, Bruce R. Lewis wrote:
> A recent message on debian-devel-announce shows cgiemail having been
> removed from the upcoming release.
> 
> Has the buffer overflow fix for cgicso been checked in?  If not, one
> option is to remove cgicso entirely, as it is really not useful except
> at MIT, and its existence probably confuses some people.
> 
> As for the script-reading vulnerability, why not just have cgiemail and
> cgiecho not echo back the message sent at all; just say "a message was
> sent" or somesuch.  Seems like a quick fix is needed if cgiemail is to
> be included in woody.

Better fixes are available, though. I'd forgotten that the last message
in this bug left it up to me to test them ... I'll have a look today or
tomorrow and see if we can get this sorted.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]


-- 
To UNSUBSCRIBE, email to debian-qa-packages-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: