Hi, * Gabor FUNK <FUNK.Gabor@hunetkft.hu> [2008-12-24 12:14]: > http://www.mailscanner.info/ChangeLog > 18/12/2008 New in Version 4.74.11-1 > ... > * Fixes * > 2 Major work on removing symlink attack vulnerabilities affecting -autoupdate > lock files. > Note: This vulnerability only affected systems where normal interactive users > could log in to the system, or create arbitrary symlinks in your filesystem. > So the ISP-style setups were never vulnerable, as they didn't allow normal > users to login or allow people to arbitrarily create symlinks in the > filesystem. > 2 Removed symlink attack vulnerabilities in SpamAssassin > --- > > Or are there more? Who should tell that based on this changelog? The description of CVE-2008-5313 and CVE-2008-5312 differs quite a lot from the above changelog. Looking at the code would make sense if it would be obvious how to get it from the upstream homepage. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpXx2_bOC61r.pgp
Description: PGP signature