I'm just catching up with recent vulnerabilities, and now I'm up
to those which have not been addressed in the book. The first of
these is heirloom-mailx - CVE-2004-2771 [really!] and CVE-2014-7844.
I originally saw this for fedora, who are using 12.5, and then for
debian who have apparently fixed both 12.4 and 12.5. We are still
using 12.4, which made me wonder _why_ : it turns out that fedora
have been using 12.5 for a little over 4 years, but they use a
script to download (and strip out the CVS junk and tar it up) from
CVS at sourceforge¹. However, debian have posted an 'orig' tarball
heirloom-mailx_12.5.orig.tar.gz in pool/main/h/heirloom-mailx.
[ aside - does anybody still install CVS on a normal system ? ]
At the moment I have not looked at what is in the new version, but
does anybody object to using the 12.5 version from debian (with the
set of patches rolled up into one) ?
From debian's changelog for 12.4:
heirloom-mailx (12.4-2+deb6u1) squeeze-lts; urgency=high
* Non-maintainer upload by the Debian LTS Team.
* Apply patches from Red Hat to address command execution issues:
+ 0011-outof-Introduce-expandaddr-flag.patch
Disable command execution in email addresses (CVE-2014-7844)
+ 0012-unpack-Disable-option-processing-for-email-addresses.patch
+ 0013-fio.c-Unconditionally-require-wordexp-support.patch
+ 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch (CVE-2004-2771)
ĸen
[1.]
http://pkgs.fedoraproject.org/cgit/mailx.git/plain/get-upstream-tarball.sh
--
Nanny Ogg usually went to bed early. After all, she was an old lady.
Sometimes she went to bed as early as 6 a.m.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
