Re: Bug#506353: lenny removal requests

["Gabor FUNK" <FUNK.Gabor@hunetkft.hu>]

> so here are three RC bugs with maintainers clearly indicating that they
> don't want the buggy packages to release and none look like they will be
> fixed. The package do not have reverse dependencies, so they seem to be
> good for removal.
> ....
> mailscanner #506353
>  The maintainer Simon Walter writes:
>    In the current state the package should not be part of
>    the lenny release.
>    I'm in no position to fix all this. I'm not familiar enough with
>    the MailScanner sourcecode and I'm not able to test the changes I
>    would have to make, in particular to all the virusscanner scripts.
>  upstream apparently does not seem to, let's say, consider the tempfile
>  vulnerability a bug and does not seem to want to fix it.

The mailscanner temp vulnerability seems to be fixed in upstream:

---
http://www.mailscanner.info/ChangeLog
18/12/2008 New in Version 4.74.11-1
...
* Fixes *
2 Major work on removing symlink attack vulnerabilities 
affecting -autoupdate
 lock files.
 Note: This vulnerability only affected systems where normal interactive 
users
 could log in to the system, or create arbitrary symlinks in your 
filesystem.
 So the ISP-style setups were never vulnerable, as they didn't allow normal
 users to login or allow people to arbitrarily create symlinks in the 
filesystem.
2 Removed symlink attack vulnerabilities in SpamAssassin
---

Or are there more?

G.