[Frugalware-git] homepage-ng: add description about missing FSA508

Tue, 26 Aug 2008 08:11:05 -0700 

Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=homepage-ng.git;a=commitdiff;h=f2e2b72eeca97eab463075a676041278bb3ac696

commit f2e2b72eeca97eab463075a676041278bb3ac696
Author: Miklos Vajna <[EMAIL PROTECTED]>
Date:   Tue Aug 26 17:10:55 2008 +0200

add description about missing FSA508

diff --git a/frugalware/xml/security.xml b/frugalware/xml/security.xml
index 7b2a285..b4141c6 100644
--- a/frugalware/xml/security.xml
+++ b/frugalware/xml/security.xml
@@ -107,21 +107,7 @@
11) An error in the processing of "Alt Names" provided by "peer" trusted 
certificates can be exploited to conduct spoofing attacks.
12) An error in the processing of Windows URL shortcuts can be exploited to run 
a remote site as a local file.</desc>
</fsa>
-       <fsa>
-               <id>508</id>
-               <date>2008-08-16</date>
-               <package>postfix</package>
-               <vulnerable>2.4.6-1</vulnerable>
-               <unaffected>2.4.7-1kalgan1</unaffected>
-               <bts>http://bugs.frugalware.org/task/3296</bts>
-               <cve>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
-                       
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937</cve>
-               <desc>Sebastian Krahmer has reported some security issues in 
Postfix, which can be exploited by malicious, local users to disclose 
potentially sensitive information and perform certain actions with escalated 
privileges.
-                       1) A security issue is caused due to Postfix 
incorrectly handling symlink files. This can be exploited to e.g. append mail 
messages to arbitrary files by creating a hardlink to a symlink owned by the 
root user.
-                       Successful exploitation requires write permission to 
the mail spool directory, that there is no "root" mailbox, and users can create 
a hardlink to a symlink (e.g. Linux 2.x, Solaris, Irix 6.5).
-                       2) A security issue is caused due to Postfix not 
correctly checking the ownership of the destination when delivering email. This 
can be exploited to e.g. disclose emails by creating an insecure mailbox file 
for other users.
-                       Successful exploitation requires permission to create 
files within the mail spool directory.</desc>
-       </fsa>
+       <!-- 508 was the same as 507 by accident. -->
<fsa>
<id>507</id>
<date>2008-08-16</date>
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to