On 26-12-2014 19:19, Ken Moffat wrote: > I'm just catching up with recent vulnerabilities, and now I'm up > to those which have not been addressed in the book. The first of > these is heirloom-mailx - CVE-2004-2771 [really!] and CVE-2014-7844. > > I originally saw this for fedora, who are using 12.5, and then for > debian who have apparently fixed both 12.4 and 12.5. We are still > using 12.4, which made me wonder _why_ : it turns out that fedora > have been using 12.5 for a little over 4 years, but they use a > script to download (and strip out the CVS junk and tar it up) from > CVS at sourceforge¹. However, debian have posted an 'orig' tarball > heirloom-mailx_12.5.orig.tar.gz in pool/main/h/heirloom-mailx. > > [ aside - does anybody still install CVS on a normal system ? ] > > At the moment I have not looked at what is in the new version, but > does anybody object to using the 12.5 version from debian (with the > set of patches rolled up into one) ?
I have no objection. Perhaps (but I think you have it all figured out) just a comment or note, don't know, about the probable difference in the tarball name (with orig) and the source directory name... > From debian's changelog for 12.4: > heirloom-mailx (12.4-2+deb6u1) squeeze-lts; urgency=high > > * Non-maintainer upload by the Debian LTS Team. > * Apply patches from Red Hat to address command execution issues: > + 0011-outof-Introduce-expandaddr-flag.patch > Disable command execution in email addresses (CVE-2014-7844) > + 0012-unpack-Disable-option-processing-for-email-addresses.patch > + 0013-fio.c-Unconditionally-require-wordexp-support.patch > + 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch (CVE-2004-2771) > > ĸen > > [1.] > http://pkgs.fedoraproject.org/cgit/mailx.git/plain/get-upstream-tarball.sh > -- []s, Fernando -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
