Oh, I see. They added an amendment to the end. Last-minute note: on February 9, 2020, opensmtpd-6.6.2p1-1.fc31 was released and correctly made smtpctl set-group-ID smtpq, instead of set-group-ID root.
Rather strange that they haven't managed to update packages for two weeks before checking anything. On Wed, Feb 26, 2020 at 3:56 AM Denis Fateyev <[email protected]> wrote: > Beside the real vulnerability, what is interesting that Qualys used an > outdated Fedora package to prepare the report: > > On Linux, this vulnerability is generally not exploitable because > /proc/sys/fs/protected_hardlinks prevents attackers from creating > hardlinks to files they do not own. On Fedora 31, however, smtpctl is > set-group-ID root, not set-group-ID smtpq: > > ------------------------------------------------------------------------------ > -r-xr-sr-x. 1 root root 303368 Jul 26 2019 /usr/sbin/smtpctl > ------------------------------------------------------------------------------ > > > The latest package (6.6.2, pushed to stable on Feb 09) contains a > different file: > > # ls -la /usr/sbin/smtpctl > -r-xr-sr-x 1 root smtpq 333288 Jan 31 18:43 /usr/sbin/smtpctl > > That version that they tested was way back from 2019. > > I think I need to inform them separately, but just FYI. > > -- wbr, Denis.
