> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:amavis-user- > [EMAIL PROTECTED] On Behalf Of Mark Martinec > Sent: Wednesday, January 24, 2007 5:05 PM > To: amavis-user@lists.sourceforge.net > Subject: Re: [AMaViS-user] First public pre-release (-pre2)ofamavisd-new- > 2.4.5 > > Leon, > > > > Sometimes I wonder why we bother and keep writing > > > software and preparing patches, especially with > > > security-related stuff... > > > > You're right here. > > The problem is that it takes so much long for OS maintainers > > to release a new ver. > > For Suse for example, the latest version available is > > perl-Convert-UUlib-1.051-31 (even from opensuse factory). > > > > I'd prefer to grab newer .src.rpm and compile it on my system, but > > unfortunately there is no 1.06 version for the OS I'm currently running > > mail server on. > > Well, it is easy for me to drop a requirement for 1.06 > and continue being happy with 1.05. The only reason for > a requirement are security concerns. The uulib has a rather > buggy history, but is quite useful for the duties it performs > in decoding malformed messages. > > The uulib was target for exploits in the past, > the last one with known exploitable bugs is 1.04, > which is why 1.05 used to be a minimal required version > up to amavisd 2.4.4. > > Looking at its change log, both the 1.05 and the 1.06 look like > potential candidates for future attacks: > > 1.08(1.07): > fixed an uninitialised variable ... > > 1.06: > fix some signed/unsigned char problems of unknown relevance > > > I guess I'll be removing a requirement for 1.06, > for the amount of trouble it is causing: > > --- amavisd.orig Tue Jan 23 17:13:25 2007 > +++ amavisd Wed Jan 24 16:01:18 2007 > @@ -16479,4 +16479,3 @@ > # avoid an exploitable security hole in Convert::UUlib 1.04 and older! > - # avoid likely security holes in Convert::UUlib 1.051 and older > -use Convert::UUlib 1.06 qw(:constants); > +use Convert::UUlib 1.05 qw(:constants); # 1.08 or newer is preferred! > use Compress::Zlib 1.35; # avoid security vulnerability in <= 1.34 >
Yep, It may be a good idea for now :) > > Mark > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
