I wish to advise that a security vulnerability has been found in perdition which may lead to an attacker being able to execute arbitrary code on the machine running perdition without the need for authentication.
Details of the bug can be found at http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0889.html A Patch to resolve the problem has been committed to CVS http://perdition.cvs.sourceforge.net/perdition/perdition/perdition/imap4_in.c?r1=1.45&r2=1.46 A bug-fix release, 1.17.1 has been made. This includes a minimal set of changes on top of 1.17 http://www.vergenet.net/linux/perdition/download/1.17.1/ There are also interim Debian packages under the URL above. This includes packages for testing-security, which can also be found by themselves at: http://packages.vergenet.net/lenny-security/perdition/ I have uploaded the sid packages (1.17.1-1), as well as the testing-stable and testing-unstable packages after consulting with the Debian Security Team. The bug will be hence forth tracked as CVE-2007-5740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5740 -- Horms H: http://www.vergenet.net/~horms/ W: http://www.valinux.co.jp/en/ _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
