Elm Vulnerability

To: debian-devel@lists.debian.org, debian-security@lists.debian.org, webmaster@debian.org
Subject: Elm Vulnerability
From: John Goerzen <jgoerzen@happy.cs.twsu.edu>
Date: Thu, 15 May 1997 11:44:08 -0500
Message-id: <[🔎] 19970515114408.37788@happy.cs.twsu.edu>

Hello,

There has recently been announced a security hole in Elm on bugtraq and
subsequently on linux-security that could lead to unauthorized to, at
minimum, the mail spool for every user on the system.

Debian's default Elm for stable (1.2.x) is Elm.  This version of Elm is
vulnerable.

The default mailer for frozen (upcoming 1.3 release) and unstable
(continuing development), Elm-ME+ (an enhanced version of Elm), is also
vulnerable.

I have patched Elm-ME+ to fix this problem.  I have released the packages
into stable, frozen, and unstable.  In addition, the latest Elm-ME+ is
always available via anonymous FTP from:

  ftp://happy.cs.twsu.edu/pub/Debian/binaries

The fixed version of Elm-ME+, elm-me+_2.4pl25ME+31-5_i386.deb, is available
for immediate download at:

ftp://happy.cs.twsu.edu/pub/Debian/binaries/elm-me+_2.4pl25ME+31-5_i386.deb

(wow....what a URL!!)

I would advise people to upgrade to the latest Elm-ME+.  Those people
running Elm and not Elm-ME+ -- Elm-ME+ fixes a number of other bugs as well,
so it wouldn't hurt to upgrade.

To the webmaster -- please announce this on the security page.

Thanks,
John Goerzen


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Prev by Date: Re: Bug#9813: rxvt 2.20-4 : Bad setting of TERM environ variable
Next by Date: Re: New Package Developer Needs A Little Help
Previous by thread: Re: Bug#9813: rxvt 2.20-4 : Bad setting of TERM environ variable
Next by thread: Search engine for bug-track
Index(es):
- Date
- Thread