[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#506353: lenny removal requests



Hi,
* Gabor FUNK <FUNK.Gabor@hunetkft.hu> [2008-12-24 12:14]:
> http://www.mailscanner.info/ChangeLog
> 18/12/2008 New in Version 4.74.11-1
> ...
> * Fixes *
> 2 Major work on removing symlink attack vulnerabilities affecting -autoupdate
>  lock files.
>  Note: This vulnerability only affected systems where normal interactive users
>  could log in to the system, or create arbitrary symlinks in your filesystem.
>  So the ISP-style setups were never vulnerable, as they didn't allow normal
>  users to login or allow people to arbitrarily create symlinks in the 
> filesystem.
> 2 Removed symlink attack vulnerabilities in SpamAssassin
> ---
> 
> Or are there more?

Who should tell that based on this changelog? The 
description of CVE-2008-5313 and CVE-2008-5312 differs quite 
a lot from the above changelog.

Looking at the code would make sense if it would be obvious 
how to get it from the upstream homepage.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpB1ZnOBRdY0.pgp
Description: PGP signature


Reply to: