Beside the real vulnerability, what is interesting that Qualys used an
outdated Fedora package to prepare the report:

On Linux, this vulnerability is generally not exploitable because
/proc/sys/fs/protected_hardlinks prevents attackers from creating
hardlinks to files they do not own. On Fedora 31, however, smtpctl is
set-group-ID root, not set-group-ID smtpq:

-r-xr-sr-x. 1 root root 303368 Jul 26  2019 /usr/sbin/smtpctl

The latest package (6.6.2, pushed to stable on Feb 09) contains a different

# ls -la /usr/sbin/smtpctl
-r-xr-sr-x 1 root smtpq 333288 Jan 31 18:43 /usr/sbin/smtpctl

That version that they tested was way back from 2019.

I think I need to inform them separately, but just FYI.

Reply via email to