Re: Bug#506353: lenny removal requests
so here are three RC bugs with maintainers clearly indicating that they
don't want the buggy packages to release and none look like they will be
fixed. The package do not have reverse dependencies, so they seem to be
good for removal.
The maintainer Simon Walter writes:
In the current state the package should not be part of
the lenny release.
I'm in no position to fix all this. I'm not familiar enough with
the MailScanner sourcecode and I'm not able to test the changes I
would have to make, in particular to all the virusscanner scripts.
upstream apparently does not seem to, let's say, consider the tempfile
vulnerability a bug and does not seem to want to fix it.
The mailscanner temp vulnerability seems to be fixed in upstream:
18/12/2008 New in Version 4.74.11-1
* Fixes *
2 Major work on removing symlink attack vulnerabilities
Note: This vulnerability only affected systems where normal interactive
could log in to the system, or create arbitrary symlinks in your
So the ISP-style setups were never vulnerable, as they didn't allow normal
users to login or allow people to arbitrarily create symlinks in the
2 Removed symlink attack vulnerabilities in SpamAssassin
Or are there more?