Your message dated Sun, 14 Jun 2020 13:34:12 +0200 with message-id <20200614113411.ga17...@debian.org> and subject line Re: Bug#944265: mailutils: local privilege escalation in maidag utility (fixed in 3.8) has caused the Debian Bug report #944265, regarding mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 944265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944265 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mailutils Severity: serious Tags: security fixed-upstream There is a local privilege escalation in the maidag utility: https://savannah.gnu.org/forum/forum.php?forum_id=9586 This version fixes important security flow. The maidag utility has been withdrawn and three new programs have been included to provide its functionality: local mail delivery agent mda, LMTP daemon lmtpd, and user mail delivery tool putmail. https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS * The maidag utility is withdrawn The main purpose of this utility was to work as local mail delivery agent (MDA), a program responsible for final delivery of email messages to the recipient's mailbox. As such it required suid privileges. In parallel with its main purpose, it also was able to work in two other modes: the 'url' mode, designed to deliver mails to arbitrary mailbox URLs, and 'lmtp' mode, in which it acted as local mail transport daemon. Neither of these needed suid privileges. The unfortunate design decision to combine the three modes in a single versatile tool resulted in local privilege escalation threat in 'url' mode. To fix this, maidag has been replaced by three different utilities, each one with a precisely defined purpose and carefully designed privileges: mda, lmtpd, and putmail. -- bye, pabs https://wiki.debian.org/PaulWisesignature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Version: 1:3.8-1 Hi, On Sat, Nov 23, 2019 at 10:13:46AM +0100, Salvatore Bonaccorso wrote: > On Fri, Nov 22, 2019 at 02:22:00PM +0100, Jordi Mallach wrote: > > Hi all, > > > > El dl. 11 de 11 de 2019 a les 21:32 +0100, en/na Salvatore Bonaccorso > > va escriure: > > > Control: retitle -1 mailutils: local privilege escalation in maidag > > > utility (fixed in 3.8) (CVE-2019-18862) As this is listed as 'fixed in 3.8', it should be fixed in the 3.8 upload. However, the upload didn't close this bug or mention the CVE. Closing the bug now. Thanks for the upload! Ivo
--- End Message ---