Hi, 2016-11-15 1:52 GMT+01:00 Bálint Réczey <[email protected]>: > Hi All, > > 2016-11-09 10:44 GMT+01:00 Andreas Beckmann <[email protected]>: >> On 2016-10-31 23:17, Andreas Beckmann wrote: >>> Please go ahead - probably we could use the fix (that someone produces >>> for wheezy) for jessie and sid as well. Please put everything into git, >>> branch wheezy, the repo is in collab-maint. >> >> I have now a completely untested patch for this issue sitting in GIT >> master (can be cherry-picked into wheezy with only a changelog >> conflict). Any feedback and testing would be welcome. > > The changes look good to me but I think this internal security > improvement does not warrant a security update for wheezy like it is > marked as no-dsa for jessie, too. > > The vulnerability would allow privilege escalation from group smmsp to > root but there seems to be no known privilege escalation vulnerability > from a normal user to smmsp and normal users should not be part of > smmsp group: > http://www.deer-run.com/~hal/sysadmin/Sendmail-Unprivileged.html > http://www.sendmail.com/pdfs/open_source/installation_and_op_guide.pdf > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257
Since there were no objections I have marked this issue no-dsa in wheezy. Cheers, Balint
