Yodel!
About a month ago, I was contacted by joey about a format string
vulnerability in postgrey. Discussion revealed:
* I couldn't reproduce this under normal circumstances.
* running postgrey with --verbose would expose the problem.
* 1.21 (sarge version) contained a fix for a similar problem, but the fix
from 1.22 was clearly superior.
(Did I miss any fact? I cc:ed all relevant meassages to team@security)
* A patch was developed, together with upstream, and discussed.
In the end, work was delayed and I had to wonderful weeks in Iceland :-)
I have now prepared packages for security and volatile. Please see
<http://fortytwo.ch/~avbidder/postgrey_1.21-1sarge1/> and
<http://fortytwo.ch/~avbidder/postgrey_1.21-1volatile4/> respectively. The
1.22-...-patch is the change to the postgrey binary.
I fixed one unrelated bug (--dbdir option), because the bug was particularly
annyoing if it hit you (postgrey won't work at all with that option) and
the fix is extremely clear.
The volatile package additionally updates the whitelist to 1.25
(zobel/sgran: I had to redo the package again after discussion on IRC; I
forgot the md5sum stuff for the whitelist file.)
Comments? Ok for upload? (FWIW, just upload it if it's ok.)
cheers
-- vbi
--
Available for key signing in Zürich and Basel, Switzerland
(what's this? Look at http://fortytwo.ch/gpg/intro)
Attachment:
pgpoQn4yV13CQ.pgp
Description: PGP signature