[Bug 258162] Re: Postfix local privilege escalation via hardlinked symlinks

2008-08-19 Thread Kees Cook
Published: http://www.ubuntu.com/usn/usn-636-1

** Changed in: postfix (Ubuntu)
 Assignee: (unassigned) => LaMont Jones (lamont)
   Status: Fix Committed => Fix Released

-- 
Postfix local privilege escalation via hardlinked symlinks
https://bugs.launchpad.net/bugs/258162
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 258162] Re: Postfix local privilege escalation via hardlinked symlinks

2008-08-15 Thread LaMont Jones
It's CVE-2008-2936, and fixed in:
2.2.10-1ubuntu0.2 (dapper)
2.3.8-2ubuntu0.1 (feisty)
2.4.5-3ubuntu1.1 (gutsy)
2.5.1-2ubuntu1 (hardy)
2.5.4-1 (intrepid)

None of these have hit the archive, see also 
https://bugs.edge.launchpad.net/ubuntu/+source/postfix/+bug/257893
I'd expect to see the -security stuff shortly.

CVE-2008-2937 was also assigned for the issue that was fixed in 2.5.3, which 
applies if you have a mode 1777 /var/mail.
That should not be confused with any sane configuration of mail.

lamont


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2937

** Changed in: postfix (Ubuntu)
   Status: In Progress => Fix Committed

-- 
Postfix local privilege escalation via hardlinked symlinks
https://bugs.launchpad.net/bugs/258162
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 258162] Re: Postfix local privilege escalation via hardlinked symlinks

2008-08-15 Thread Scott Kitterman
Updates for all Ubuntu releases have been prepared and are going through
the security update process.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2936

** Changed in: postfix (Ubuntu)
   Status: New => In Progress

-- 
Postfix local privilege escalation via hardlinked symlinks
https://bugs.launchpad.net/bugs/258162
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs