Bug#506353: lenny removal requests
On Friday 26 December 2008 00:20, Julian Field wrote: I'm afraid this is too late, mailscanner has already been removed from lenny. Shame you couldn't wait 6 days for the new stable release. I don't immediately release a new stable release after making lots of changes to ensure it has received some testing in the field first. Your loss. This is indeed a pity. However, as a distribution with 20,000 packages, it's unavoidable that sometimes release schedules are not aligned and that from time to time, in some place a price needs to be paid to keep the larger plan rolling. Thijs pgpi5iKHy9nGY.pgp Description: PGP signature
Bug#506353: lenny removal requests
On 25/12/08 21:38, Nico Golde wrote: Hi, * Simon Waltersimon.wal...@hp-factory.de [2008-12-25 00:43]: Gabor FUNKfunk.ga...@hunetkft.hu writes: [...] Current state of this work is: It works (MailScanner starts and scans a simple textmail) but it's not well tested. There still need to be done some testing with TNEF attachment, virus removal and some other cases. I currently don't Know when I will have the time to do this. I have attached the diff against 4.68.8 debian package. I'm afraid this is too late, mailscanner has already been removed from lenny. Shame you couldn't wait 6 days for the new stable release. I don't immediately release a new stable release after making lots of changes to ensure it has received some testing in the field first. Your loss. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at ju...@jules.fm PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#506353: lenny removal requests
Hi, * Simon Walter simon.wal...@hp-factory.de [2008-12-25 00:43]: Gabor FUNK funk.ga...@hunetkft.hu writes: [...] Current state of this work is: It works (MailScanner starts and scans a simple textmail) but it's not well tested. There still need to be done some testing with TNEF attachment, virus removal and some other cases. I currently don't Know when I will have the time to do this. I have attached the diff against 4.68.8 debian package. I'm afraid this is too late, mailscanner has already been removed from lenny. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgprJ3Nk3lY9O.pgp Description: PGP signature
Bug#506353: lenny removal requests
Julian Field mailscan...@ecs.soton.ac.uk writes: On 25/12/08 21:38, Nico Golde wrote: I'm afraid this is too late, mailscanner has already been removed from lenny. Shame you couldn't wait 6 days for the new stable release. I don't immediately release a new stable release after making lots of changes to ensure it has received some testing in the field first. Your loss. It wouldn't have been included anyway. Making lots of changes is not something the Debian elease team wants to see shortly before a release. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This signature is a bad idea. Marc -- Fachbegriffe der Informatik - Einfach erklärt 89: PSD Damit die Schriften nicht aussehen, als wären sie mit der Laubsäge bearbeitet. (Meikel Katzengreis) pgpKznPsFmJgl.pgp Description: PGP signature
Bug#506353: lenny removal requests
so here are three RC bugs with maintainers clearly indicating that they don't want the buggy packages to release and none look like they will be fixed. The package do not have reverse dependencies, so they seem to be good for removal. mailscanner #506353 The maintainer Simon Walter writes: In the current state the package should not be part of the lenny release. I'm in no position to fix all this. I'm not familiar enough with the MailScanner sourcecode and I'm not able to test the changes I would have to make, in particular to all the virusscanner scripts. upstream apparently does not seem to, let's say, consider the tempfile vulnerability a bug and does not seem to want to fix it. The mailscanner temp vulnerability seems to be fixed in upstream: --- http://www.mailscanner.info/ChangeLog 18/12/2008 New in Version 4.74.11-1 ... * Fixes * 2 Major work on removing symlink attack vulnerabilities affecting -autoupdate lock files. Note: This vulnerability only affected systems where normal interactive users could log in to the system, or create arbitrary symlinks in your filesystem. So the ISP-style setups were never vulnerable, as they didn't allow normal users to login or allow people to arbitrarily create symlinks in the filesystem. 2 Removed symlink attack vulnerabilities in SpamAssassin --- Or are there more? G. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#506353: lenny removal requests
I'm forwarding this I got from Julian (mailscanner upstream). G. - Original Message - From: Julian Field mailscan...@ecs.soton.ac.uk To: Gabor FUNK funk.ga...@hunetkft.hu Sent: Wednesday, December 24, 2008 3:27 PM Subject: Re: Bug#506353: lenny removal requests The vulnerabilities in MailScanner have all been fixed. On 24/12/08 10:20, Gabor FUNK wrote: so here are three RC bugs with maintainers clearly indicating that they don't want the buggy packages to release and none look like they will be fixed. The package do not have reverse dependencies, so they seem to be good for removal. mailscanner #506353 The maintainer Simon Walter writes: In the current state the package should not be part of the lenny release. I'm in no position to fix all this. I'm not familiar enough with the MailScanner sourcecode and I'm not able to test the changes I would have to make, in particular to all the virusscanner scripts. upstream apparently does not seem to, let's say, consider the tempfile vulnerability a bug and does not seem to want to fix it. The mailscanner temp vulnerability seems to be fixed in upstream: --- http://www.mailscanner.info/ChangeLog 18/12/2008 New in Version 4.74.11-1 ... * Fixes * 2 Major work on removing symlink attack vulnerabilities affecting -autoupdate lock files. Note: This vulnerability only affected systems where normal interactive users could log in to the system, or create arbitrary symlinks in your filesystem. So the ISP-style setups were never vulnerable, as they didn't allow normal users to login or allow people to arbitrarily create symlinks in the filesystem. 2 Removed symlink attack vulnerabilities in SpamAssassin --- Or are there more? G. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at ju...@jules.fm PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#506353: lenny removal requests
Hi Gabor FUNK funk.ga...@hunetkft.hu writes: mailscanner #506353 The maintainer Simon Walter writes: In the current state the package should not be part of the lenny release. I'm in no position to fix all this. I'm not familiar enough with the MailScanner sourcecode and I'm not able to test the changes I would have to make, in particular to all the virusscanner scripts. upstream apparently does not seem to, let's say, consider the tempfile vulnerability a bug and does not seem to want to fix it. The mailscanner temp vulnerability seems to be fixed in upstream: Yes, upstream has fixed the vulnerability, but not yet release a stable (non-beta) version. Next stable release will be on 01.01.09 but this release will also come with quite some features. Noah Meyerhans from seacurity-team and I have been working on a backport of the upstream fixes for mailscanner-4.68.8. Current state of this work is: It works (MailScanner starts and scans a simple textmail) but it's not well tested. There still need to be done some testing with TNEF attachment, virus removal and some other cases. I currently don't Know when I will have the time to do this. I have attached the diff against 4.68.8 debian package. -- Regards Simon Walter diff -Naur mailscanner-4.68.8/debian/changelog mailscanner-4.68.8-1+lenny1-proposed/debian/changelog --- mailscanner-4.68.8/debian/changelog 2008-12-24 23:29:01.0 +0100 +++ mailscanner-4.68.8-1+lenny1-proposed/debian/changelog 2008-12-24 23:27:44.0 +0100 @@ -1,3 +1,11 @@ +mailscanner (4.68.8-1+lenny1) testing-proposed-updates; urgency=high + + * Security upload to fix CVE-2008-5140, CVE-2008-5312, CVE-2008-5312 +(insecure creation of files in /tmp) +Thanks Raphael Geisser, Noah Meyerhans + + -- Simon Walter simon.wal...@hp-factory.de Mon, 22 Dec 2008 19:43:05 +0100 + mailscanner (4.68.8-1) unstable; urgency=low * New upstream release diff -Naur mailscanner-4.68.8/debian/mailscanner.install mailscanner-4.68.8-1+lenny1-proposed/debian/mailscanner.install --- mailscanner-4.68.8/debian/mailscanner.install 2008-12-24 23:29:01.0 +0100 +++ mailscanner-4.68.8-1+lenny1-proposed/debian/mailscanner.install 2008-12-24 23:27:44.0 +0100 @@ -2,6 +2,7 @@ bin/df2mbox usr/sbin/ bin/upgrade_MailScanner_conf usr/sbin/ bin/MailScanner /usr/sbin +bin/mailscanner_create_locks /usr/sbin bin/update_virus_scanners /usr/sbin bin/update_phishing_sites /usr/sbin lib/MailScanner.pm usr/share/MailScanner/ diff -Naur mailscanner-4.68.8/debian/patches/00list mailscanner-4.68.8-1+lenny1-proposed/debian/patches/00list --- mailscanner-4.68.8/debian/patches/00list 2008-12-24 23:29:01.0 +0100 +++ mailscanner-4.68.8-1+lenny1-proposed/debian/patches/00list 2008-12-24 23:27:43.0 +0100 @@ -10,3 +10,4 @@ update_virus_scanners.dpatch upgrade-manpage.dpatch use_spamassassinprefsconf.dpatch +CVE-2008-5313.dpatch diff -Naur mailscanner-4.68.8/debian/patches/CVE-2008-5313.dpatch mailscanner-4.68.8-1+lenny1-proposed/debian/patches/CVE-2008-5313.dpatch --- mailscanner-4.68.8/debian/patches/CVE-2008-5313.dpatch 1970-01-01 01:00:00.0 +0100 +++ mailscanner-4.68.8-1+lenny1-proposed/debian/patches/CVE-2008-5313.dpatch 2008-12-24 23:27:43.0 +0100 @@ -0,0 +1,1335 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2008-5313.dpatch by no...@debian.org +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +...@dpatch@ +diff -urNad mailscanner-4.68.8~/bin/MailScanner mailscanner-4.68.8/bin/MailScanner +--- mailscanner-4.68.8~/bin/MailScanner 2008-12-22 22:48:13.0 +0100 mailscanner-4.68.8/bin/MailScanner 2008-12-22 22:48:14.0 +0100 +@@ -61,6 +61,7 @@ + use FileHandle; + use File::Path; + use IO::Handle; ++use IO::File; + use Getopt::Long; + use Time::HiRes qw ( time ); + use Filesys::Df; +@@ -362,6 +363,18 @@ +checking configuration...\n; + MailScanner::Log::Configure($logbanner, 'stderr'); + ++ # Check -autoupdate lock files ++ my $lockdir = MailScanner::Config::QuickPeek($ConfFile, 'lockfiledir'); ++ if ($lockdir eq || $lockdir =~ /tmp$/i) { ++print STDERR Please move your \Lockfile Dir\ setting in MailScanner.conf.\n; ++print STDERR It should point outside /tmp, preferably /var/spool/MailScanner/incoming/Locks\n; ++ } ++ my $cluid = MailScanner::Config::QuickPeek($ConfFile, 'runasuser'); ++ my $clgid = MailScanner::Config::QuickPeek($ConfFile, 'runasgroup'); ++ my $clr = system(/usr/sbin/mailscanner_create_locks \$lockdir\ \$cluid\ \$clgid\); ++ print STDERR Error: Attempt to create locks in $lockdir failed!\n ++if ($clr8) != 0; ++ + # Read the directory containing all the custom code + MailScanner::Config::initialise(MailScanner::Config::QuickPeek($ConfFile, + 'customfunctionsdir')); +@@ -446,6 +459,12 @@ +} + } + ++ # Check permissions on /tmp ++ if ($WantLintOnly) { ++
Bug#506353: lenny removal requests
Hi, so here are three RC bugs with maintainers clearly indicating that they don't want the buggy packages to release and none look like they will be fixed. The package do not have reverse dependencies, so they seem to be good for removal. xml2rfc #506652 The maintainer Florian Weimer: This means we shouldn't release the current xml2rfc version with lenny. mailscanner #506353 The maintainer Simon Walter writes: In the current state the package should not be part of the lenny release. I'm in no position to fix all this. I'm not familiar enough with the MailScanner sourcecode and I'm not able to test the changes I would have to make, in particular to all the virusscanner scripts. upstream apparently does not seem to, let's say, consider the tempfile vulnerability a bug and does not seem to want to fix it. helpdeco #507021 The maintainer Paul Wise writes: Based on the issues I found and fixed in upstream SVN last year with the zzuf input fuzzer, I don't think the current version should be allowed into lenny on any architecture Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org