[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Elm Vulnerability


There has recently been announced a security hole in Elm on bugtraq and
subsequently on linux-security that could lead to unauthorized to, at
minimum, the mail spool for every user on the system.

Debian's default Elm for stable (1.2.x) is Elm.  This version of Elm is

The default mailer for frozen (upcoming 1.3 release) and unstable
(continuing development), Elm-ME+ (an enhanced version of Elm), is also

I have patched Elm-ME+ to fix this problem.  I have released the packages
into stable, frozen, and unstable.  In addition, the latest Elm-ME+ is
always available via anonymous FTP from:


The fixed version of Elm-ME+, elm-me+_2.4pl25ME+31-5_i386.deb, is available
for immediate download at:


(wow....what a URL!!)

I would advise people to upgrade to the latest Elm-ME+.  Those people
running Elm and not Elm-ME+ -- Elm-ME+ fixes a number of other bugs as well,
so it wouldn't hurt to upgrade.

To the webmaster -- please announce this on the security page.

John Goerzen

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: