Your message dated Mon, 07 Nov 2005 14:32:27 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#329307: fixed in masqmail 0.2.21-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Sep 2005 03:31:11 +0000
>From [EMAIL PROTECTED] Tue Sep 20 20:31:11 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.enyo.de [212.9.189.167]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EHvKA-0000Ic-00; Tue, 20 Sep 2005 20:31:11 -0700
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de)
by albireo.enyo.de with esmtp id 1EHvK7-0008Am-3O
for [EMAIL PROTECTED]; Wed, 21 Sep 2005 05:31:07 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.52)
id 1EHvJu-00023S-Dq; Wed, 21 Sep 2005 05:30:54 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Florian Weimer <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: masqmail: CAN-2005-2662 and CAN-2005-2663
X-Mailer: reportbug 3.15
Date: Wed, 21 Sep 2005 05:30:54 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: masqmail
Severity: grave
Tags: security sarge
Justification: user security hole
Mandriva has disclosed two security problems in masqmail:
Jens Steube discovered two vulnerabilities in masqmail:
When sending failed mail messages, the address was not properly
sanitized which could allow a local attacker to execute arbitrary
commands as the mail user (CAN-2005-2662).
When opening the log file, masqmail did not relinquish privileges,
which could allow a local attacker to overwrite arbitrary files via a
symlink attack (CAN-2005-2663).
CAN-2005-2662 seems to be quite serious.
---------------------------------------
Received: (at 329307-close) by bugs.debian.org; 7 Nov 2005 22:36:26 +0000
>From [EMAIL PROTECTED] Mon Nov 07 14:36:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EZFXP-0005lt-00; Mon, 07 Nov 2005 14:32:27 -0800
From: Oliver Kurth <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#329307: fixed in masqmail 0.2.21-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 07 Nov 2005 14:32:27 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Source: masqmail
Source-Version: 0.2.21-1
We believe that the bug you reported is fixed in the latest version of
masqmail, which is due to be installed in the Debian FTP archive:
masqmail_0.2.21-1.diff.gz
to pool/main/m/masqmail/masqmail_0.2.21-1.diff.gz
masqmail_0.2.21-1.dsc
to pool/main/m/masqmail/masqmail_0.2.21-1.dsc
masqmail_0.2.21-1_i386.deb
to pool/main/m/masqmail/masqmail_0.2.21-1_i386.deb
masqmail_0.2.21.orig.tar.gz
to pool/main/m/masqmail/masqmail_0.2.21.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Oliver Kurth <[EMAIL PROTECTED]> (supplier of updated masqmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 07 Nov 2005 14:09:21 -0800
Source: masqmail
Binary: masqmail
Architecture: source i386
Version: 0.2.21-1
Distribution: unstable
Urgency: low
Maintainer: Oliver Kurth <[EMAIL PROTECTED]>
Changed-By: Oliver Kurth <[EMAIL PROTECTED]>
Description:
masqmail - A mailer for hosts without permanent internet connection
Closes: 224273 329307 332023 332841 332960 337921
Changes:
masqmail (0.2.21-1) unstable; urgency=low
.
* security fixes (closes: #329307)
- do not use shell when executing sub programs
- do not accept backtick in email adresses
- write log files as 'mail' user
* changed default online status file to /var/run/masqmail/masqmail-route
(closes: #332841)
* depend on debconf | debconf-2.0 (closes: #332023)
* add debug.log to logrotate script (closes: #332960)
* fix typo in templates ('failure') (closes: #224273)
* use glib2 instead of old glib1.2 (closes: #337921)
* use /var/run/masqmail for pid files
Files:
8f4b8d5385a3bdebff6ba0d58b00b73e 608 mail extra masqmail_0.2.21-1.dsc
7e989a8b0562054aea22c654507f2cb5 269192 mail extra masqmail_0.2.21.orig.tar.gz
9fa228777ca065bc8587d951305f39a8 355 mail extra masqmail_0.2.21-1.diff.gz
89f92b3a4475bf2734bb4cad85d88ac6 124216 mail extra masqmail_0.2.21-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDb9KBUmVSJkUeqxsRAoVLAKDWmMxPidO1y5ayr+FoONdKyRnIOwCfQrq5
5z16VN7uB73dpkgMAuH9GrI=
=oPoW
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]