Re: Wheezy update of sendmail?

[Bálint Réczey <balint@balintreczey.hu>]

Hi All,

2016-11-09 10:44 GMT+01:00 Andreas Beckmann <anbe@debian.org>:
> On 2016-10-31 23:17, Andreas Beckmann wrote:
>> Please go ahead - probably we could use the fix (that someone produces
>> for wheezy) for jessie and sid as well. Please put everything into git,
>> branch wheezy, the repo is in collab-maint.
>
> I have now a completely untested patch for this issue sitting in GIT
> master (can be cherry-picked into wheezy with only a changelog
> conflict). Any feedback and testing would be welcome.

The changes look good to me but I think this internal security
improvement does not warrant a security update for wheezy like it is
marked as no-dsa for jessie, too.

The vulnerability would allow privilege escalation from group smmsp to
root but there seems to be no known privilege escalation vulnerability
from a normal user to smmsp and normal users should not be part of
smmsp group:
http://www.deer-run.com/~hal/sysadmin/Sendmail-Unprivileged.html
http://www.sendmail.com/pdfs/open_source/installation_and_op_guide.pdf
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257

Cheers,
Balint