[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of sendmail?

Hi,

2016-11-15 1:52 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi All,
>
> 2016-11-09 10:44 GMT+01:00 Andreas Beckmann <anbe@debian.org>:
>> On 2016-10-31 23:17, Andreas Beckmann wrote:
>>> Please go ahead - probably we could use the fix (that someone produces
>>> for wheezy) for jessie and sid as well. Please put everything into git,
>>> branch wheezy, the repo is in collab-maint.
>>
>> I have now a completely untested patch for this issue sitting in GIT
>> master (can be cherry-picked into wheezy with only a changelog
>> conflict). Any feedback and testing would be welcome.
>
> The changes look good to me but I think this internal security
> improvement does not warrant a security update for wheezy like it is
> marked as no-dsa for jessie, too.
>
> The vulnerability would allow privilege escalation from group smmsp to
> root but there seems to be no known privilege escalation vulnerability
> from a normal user to smmsp and normal users should not be part of
> smmsp group:
> http://www.deer-run.com/~hal/sysadmin/Sendmail-Unprivileged.html
> http://www.sendmail.com/pdfs/open_source/installation_and_op_guide.pdf
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257


Since there were no objections I have marked this issue no-dsa in wheezy.

Cheers,
Balint
Reply to: