Hi For the record, I answered him in German and sent the patch that can be extracted by comparing the old and the new version via debdiff.
Cheers Steffen > sorry to bug you directly but i could not find any specific information > on the mentioned cve. my questions: > > a) we're still running maildrop 1.6, is this also vulnerable? > b) could you please send me the diff that was applied to fix this cve? > > thank you very much in advance! > > jürgen herrmann > > On Thu, 28 Jan 2010 21:19:50 +0100 (CET), [email protected] (Steffen > Joeris) > > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > - > > ------------------------------------------------------------------------ > > > Debian Security Advisory DSA-1981-2 [email protected] > > http://www.debian.org/security/ Steffen Joeris > > January 28, 2010 http://www.debian.org/security/faq > > - > > ------------------------------------------------------------------------ > > > Package : maildrop > > Vulnerability : privilege escalation > > Problem type : local > > Debian-specific: no > > CVE Id : CVE-2010-0301 > > Debian Bug : 564601 > > > > The latest DSA for maildrop introduced two regressions. The maildrop > > program stopped working when invoked as a non-root user, such as with > > postfix. Also, the lenny version dropped a dependency on the > > courier-authlib package. > > > > > > For the stable distribution (lenny), this problem has been fixed in > > version 2.0.4-3+lenny3. > > > > For the oldstable distribution (etch), this problem has been fixed in > > version 2.0.2-11+etch2. > > > > For the testing distribution (squeeze) this problem will be fixed soon. > > > > For the unstable distribution (sid), this problem has been fixed in > > version 2.2.0-3.1. > > > > For reference, the original advisory text is below. > > > > Christoph Anton Mitterer discovered that maildrop, a mail delivery agent > > with filtering abilities, is prone to a privilege escalation issue that > > grants a user root group privileges. > > > > We recommend that you upgrade your maildrop packages. > > > > > > Upgrade instructions > > - -------------------- > > > > wget url > > will fetch the file for you > > dpkg -i file.deb > > will install the referenced file. > > > > If you are using the apt-get package manager, use the line for > > sources.list as given below: > > > > apt-get update > > will update the internal database > > apt-get upgrade > > will install corrected packages > > > > You may use an automated update by adding the resources from the > > footer to the proper configuration. > > > > > > Debian GNU/Linux 4.0 alias etch > > - ------------------------------- > > > > Debian (oldstable) > > - ------------------ > > > > Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, > > mips, mipsel, powerpc, s390 and sparc. > > > > Source archives: > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2.dsc > > > Size/MD5 checksum: 736 280d7371f21cd78c4977d65967f4695c > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2.diff.gz > > > Size/MD5 checksum: 13965 269c15cb493be7357dc5d8a8acbad25d > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2.orig > .tar.gz > > > Size/MD5 checksum: 3217622 d799e44aa65027a02343e5e08b97f3a0 > > > > alpha architecture (DEC Alpha) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_alpha.deb > > > Size/MD5 checksum: 398482 c4dcbec55c55dff97a738617b367f517 > > > > amd64 architecture (AMD x86_64 (AMD64)) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_amd64.deb > > > Size/MD5 checksum: 363478 94687bb12867af71bcf9680f089e422f > > > > arm architecture (ARM) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_arm.deb > > > Size/MD5 checksum: 350004 513a26c626071a4d58abbbc22a7f9f4b > > > > hppa architecture (HP PA RISC) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_hppa.deb > > > Size/MD5 checksum: 388388 ce6100257045fe40df77af384d5d2b51 > > > > i386 architecture (Intel ia32) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_i386.deb > > > Size/MD5 checksum: 355890 07f603a68d05bf05f9fad916f9de51e0 > > > > ia64 architecture (Intel ia64) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_ia64.deb > > > Size/MD5 checksum: 470078 78f1972ef14698a20d5c181b90dd31e7 > > > > mipsel architecture (MIPS (Little Endian)) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_mipsel.deb > > > Size/MD5 checksum: 376390 678ed61359f44e3bb9161d03e4b6675f > > > > powerpc architecture (PowerPC) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+e > tch2_powerpc.deb > > > Size/MD5 checksum: 358184 c76433b354ed838938340a06a7f93cd2 > > > > > > Debian GNU/Linux 5.0 alias lenny > > - -------------------------------- > > > > Debian (stable) > > - --------------- > > > > Stable updates are available for alpha, amd64, arm, armel, hppa, i386, > > ia64, mips, mipsel, powerpc, s390 and sparc. > > > > Source archives: > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4.orig > .tar.gz > > > Size/MD5 checksum: 3566630 78e6c27afe7eff9e132b8bc20087aae7 > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3.diff.gz > > > Size/MD5 checksum: 807850 15846a840e3bad8301778630d7e7bf24 > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3.dsc > > > Size/MD5 checksum: 1137 826da92ceb403b0e0778c3609c109a1e > > > > alpha architecture (DEC Alpha) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_alpha.deb > > > Size/MD5 checksum: 402062 21c37f944be6d5b02544acb17c521681 > > > > amd64 architecture (AMD x86_64 (AMD64)) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_amd64.deb > > > Size/MD5 checksum: 371772 18b875356d68e326c51decf8061eff99 > > > > hppa architecture (HP PA RISC) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_hppa.deb > > > Size/MD5 checksum: 389098 c59222e68d068e2d68db475854b8f52d > > > > i386 architecture (Intel ia32) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_i386.deb > > > Size/MD5 checksum: 359508 340a509db515cd0d4e9af017871d0f80 > > > > ia64 architecture (Intel ia64) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_ia64.deb > > > Size/MD5 checksum: 466646 826d66a3b3bc85492bf45f9552db15ca > > > > mips architecture (MIPS (Big Endian)) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_mips.deb > > > Size/MD5 checksum: 375330 c0c80404e33608fdc46d007d7ad97c08 > > > > mipsel architecture (MIPS (Little Endian)) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_mipsel.deb > > > Size/MD5 checksum: 376072 ece64fb17424086e64dd5cb84604f80b > > > > powerpc architecture (PowerPC) > > http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+le > nny3_powerpc.deb > > > Size/MD5 checksum: 379196 3cd9eb52eb8a14feebd37be8578f467f > > > > > > These files will probably be moved into the stable distribution on > > its next update. > > > > - > > --------------------------------------------------------------------------- > ------ > > > For apt-get: deb http://security.debian.org/ stable/updates main > > For dpkg-ftp: ftp://security.debian.org/debian-security > > dists/stable/updates/main > > Mailing list: [email protected] > > Package info: `apt-cache show <pkg>' and > > http://packages.debian.org/<pkg> > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.10 (GNU/Linux) > > > > iEYEARECAAYFAkth8TEACgkQ62zWxYk/rQeHfQCeKQULh1XAWPADGpWDuNVrnd/R > > krMAoI+R63iKeQXMnV/B7CHJN2XqihGQ > > =Q1oS > > -----END PGP SIGNATURE----- > > > >> XLhost.de - eXperts in Linux hosting ® << > > XLhost.de GmbH > Jürgen Herrmann, Geschäftsführer > Boelckestrasse 21, 93051 Regensburg, Germany > > Geschäftsführer: Volker Geith, Jürgen Herrmann > Registriert unter: HRB9918 > Umsatzsteuer-Identifikationsnummer: DE245931218 > > Fon: +49 (0)800 XLHOSTDE [0800 95467833] > Fax: +49 (0)800 95467830 > > WEB: http://www.XLhost.de > IRC: #[email protected] > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
