Leon, > > Sometimes I wonder why we bother and keep writing > > software and preparing patches, especially with > > security-related stuff... > > You're right here. > The problem is that it takes so much long for OS maintainers > to release a new ver. > For Suse for example, the latest version available is > perl-Convert-UUlib-1.051-31 (even from opensuse factory). > > I'd prefer to grab newer .src.rpm and compile it on my system, but > unfortunately there is no 1.06 version for the OS I'm currently running > mail server on.
Well, it is easy for me to drop a requirement for 1.06 and continue being happy with 1.05. The only reason for a requirement are security concerns. The uulib has a rather buggy history, but is quite useful for the duties it performs in decoding malformed messages. The uulib was target for exploits in the past, the last one with known exploitable bugs is 1.04, which is why 1.05 used to be a minimal required version up to amavisd 2.4.4. Looking at its change log, both the 1.05 and the 1.06 look like potential candidates for future attacks: 1.08(1.07): fixed an uninitialised variable ... 1.06: fix some signed/unsigned char problems of unknown relevance I guess I'll be removing a requirement for 1.06, for the amount of trouble it is causing: --- amavisd.orig Tue Jan 23 17:13:25 2007 +++ amavisd Wed Jan 24 16:01:18 2007 @@ -16479,4 +16479,3 @@ # avoid an exploitable security hole in Convert::UUlib 1.04 and older! - # avoid likely security holes in Convert::UUlib 1.051 and older -use Convert::UUlib 1.06 qw(:constants); +use Convert::UUlib 1.05 qw(:constants); # 1.08 or newer is preferred! use Compress::Zlib 1.35; # avoid security vulnerability in <= 1.34 Mark ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
