[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#506353: lenny removal requests

so here are three RC bugs with maintainers clearly indicating that they
don't want the buggy packages to release and none look like they will be
fixed. The package do not have reverse dependencies, so they seem to be
good for removal.
mailscanner #506353
 The maintainer Simon Walter writes:
   In the current state the package should not be part of
   the lenny release.
   I'm in no position to fix all this. I'm not familiar enough with
   the MailScanner sourcecode and I'm not able to test the changes I
   would have to make, in particular to all the virusscanner scripts.
 upstream apparently does not seem to, let's say, consider the tempfile
 vulnerability a bug and does not seem to want to fix it.

The mailscanner temp vulnerability seems to be fixed in upstream:

18/12/2008 New in Version 4.74.11-1
* Fixes *
2 Major work on removing symlink attack vulnerabilities affecting -autoupdate
 lock files.
Note: This vulnerability only affected systems where normal interactive users could log in to the system, or create arbitrary symlinks in your filesystem.
 So the ISP-style setups were never vulnerable, as they didn't allow normal
users to login or allow people to arbitrarily create symlinks in the filesystem.
2 Removed symlink attack vulnerabilities in SpamAssassin

Or are there more?

Reply to: