Package: spamassassin Version: 3.0.2-1 Severity: important Tags: security upstream
There is an upstream bug that we probably should follow closely, as it may have security implications, namely this bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=4086 Apparently, spamd children get root after processing a message, and this could potentially help an attacker if there are security problems with SA. On my system, it looks like spamd runs as root from the start, but it may just be that the change happens quickly enough so that I don't see it. If a fix is found before the release of Sarge, it may be a good idea to backport it, I guess. One could also investigate whether a Debian-specific fix is possible, but I'm not up to that task... :-) Kjetil -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8.2004-09-07-13.owl.1.oss Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages spamassassin depends on: ii debconf 1.4.30.11 Debian configuration management sy ii libdigest-sha1-perl 2.10-1 NIST SHA-1 message digest algorith ii libhtml-parser-perl 3.45-1 A collection of modules that parse ii perl [libstorable-perl] 5.8.4-6 Larry Wall's Practical Extraction ii spamc 3.0.2-1 Client for SpamAssassin spam filte -- debconf information: * spamassassin/upgrade/2.40: spamassassin/upgrade/2.40w: * spamassassin/upgrade/cancel: Continue * spamassassin/upgrade/2.42: No spamassassin/upgrade/2.42m: spamassassin/upgrade/2.42u: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
