Package: mailscanner
Version: 4.79.11-2
Severity: important
Tags: security
Hi,
The update{_bad,}_phishing_sites scripts downloads files and trusts them
without using any sort of encryption (e.g. https) or digital signature
checking.
They are therefore vulnerable to dns/packet spoofing, which could be used by an
attacker to, for example, replace the phishing whitelist (which could have
mixed results: some messages being considered phishing and others not.)
Or, depending on the parsing routine of the downloaded files (which I've not
reviewed,) could lead to other attacks (mainly DoS, I guess.)
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
