Package: mailscanner Version: 4.79.11-2 Severity: important Tags: security Hi,
The update{_bad,}_phishing_sites scripts downloads files and trusts them without using any sort of encryption (e.g. https) or digital signature checking. They are therefore vulnerable to dns/packet spoofing, which could be used by an attacker to, for example, replace the phishing whitelist (which could have mixed results: some messages being considered phishing and others not.) Or, depending on the parsing routine of the downloaded files (which I've not reviewed,) could lead to other attacks (mainly DoS, I guess.) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org