[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Martin Hepworth maxsec at gmail.com
Tue Dec 9 14:46:01 GMT 2008

2008/12/9 Kai Schaetzl <maillists at conactive.com>:
> Simon.walter at hp-factory.de wrote on Tue, 9 Dec 2008 11:58:03 -0000 (UTC):
>> Funny how everybody focuses on this little, unimportant, technical problem
>> but ignores the real cause of my mail.
> The trend-updater problem has already been fixed in recent MS. I assume the
> other scripts will get fixed one by one over time if there really is a need.
> BTW, there was one sentence in your original quotes I absolutely agree with:
>> In the current state the package should not be part of
>> the lenny release.
> looking at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353 the
> MailScanner version in debian-stable is 4.55.10. That should indeed not be
> used anymore. If I understand this correctly the stable version is what
> comes with the current Debian 4.0?
> Kai
> --
> Kai Schätzl, Berlin, Germany

Well yeah this is a general problem with debian - esp for 'unstable'
(or rapidily updated) stuff like mailScanner, the long release cycles
give problems.

Martin Hepworth
Oxford, UK

More information about the MailScanner mailing list