Dear Andreas,
> I have a completely untested patch sitting in GIT - do you have a
> possibility to test packages built from that?
I could replace files, or DEB packages, on some test machines. Do not
know whether that testing would be exhaustive: do not know how many
features of the sendmail pack
Hmm (again) ... Maybe file /usr/share/sendmail/sendmail needs updating
also? It is almost identical to /etc/init.d/sendmail, and in file
/etc/cron.daily/sendmail I notice the lines:
...
#--
# Every so often, give sendmail
Hmm... you may also need to (once) do:
chown smmsp /var/run/sendmail/stampdir/reload
when adopting my patch.
Cheers, Paul
Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole
Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.
The directory /var
4 matches
Mail list logo