Hi, Colin Watson and I have fixed various security vulnerabilites in cgiemail. I used to be the maintainer of cgiemail, but I recently orphaned it because, even after these fixes, it is not a particularly secure or otherwise good piece of software, and I am not really up to maintaining it. I am not sure whether or not it should be included in woody. I suppose that doing so would be good for upgraders, but I really would not trust cgiemail much. * a script-reading vulnerability was fixed in version 1.6-13, which is in incoming, with the caveat that either you have the fix or you have backward compatability (the decision is made at runtime). * a remotely-exploitable buffer overflow was fixed in version 1.6-9. * a path disclosure vulnerability was fixed in version 1.6-5. The first two are Bug#129104. The version in stable is 1.6-1. The buffer overflow could give root. All of these holes have been known around the internet for ages, and the upstream maintainers are pretty much completely unresponsive. Anyway, there needs to be a security announcement. I suppose that I can provide patches back to the pre-dh_make (that is, pre-1.6-4) version of cgiemail, just fixing the vulnerabilities and adding the documentation. Does that need to be done? Anything else? Thanks, -thomas -- Thomas "resc" Smith <tgs@resc.net> web: http://finbar.dyndns.org/ gpg key id 1024D/ACABA81E, fingerprint: 3A47 CFA5 0E5D CF4A 5B22 12D3 FF1B 84FE ACAB A81E
Attachment:
pgpLM_rqxDopZ.pgp
Description: PGP signature