Hi All, 2016-11-09 10:44 GMT+01:00 Andreas Beckmann <[email protected]>: > On 2016-10-31 23:17, Andreas Beckmann wrote: >> Please go ahead - probably we could use the fix (that someone produces >> for wheezy) for jessie and sid as well. Please put everything into git, >> branch wheezy, the repo is in collab-maint. > > I have now a completely untested patch for this issue sitting in GIT > master (can be cherry-picked into wheezy with only a changelog > conflict). Any feedback and testing would be welcome.
The changes look good to me but I think this internal security improvement does not warrant a security update for wheezy like it is marked as no-dsa for jessie, too. The vulnerability would allow privilege escalation from group smmsp to root but there seems to be no known privilege escalation vulnerability from a normal user to smmsp and normal users should not be part of smmsp group: http://www.deer-run.com/~hal/sysadmin/Sendmail-Unprivileged.html http://www.sendmail.com/pdfs/open_source/installation_and_op_guide.pdf https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257 Cheers, Balint
