On Wednesday, 9. September 2009 18:43:43 Dave McMurtrie wrote: > > TJ> Regarding the buffer overflow: The cert website currently outputs a > > TJ> "Lotus Notes exception". Is the overflow theoretically exploitable > > TJ> via a malicious email or does a user need to upload a malicious > > TJ> sieve script? > > > > Hmmm... Still down... > > Apologies for the CERT vulnerability link not existing. > > We had planned, along with CERT, to make a coordinated announcement > about this tomorrow in order to give the major Cyrus vendors a chance to > get their distributions patched. > > Unfortunately, Debian put out their DSA over the weekend so we didn't > want to wait until tomorrow to put out our announcement. CERT provided > that URL for us, but since they haven't yet formally released this > vulnerability the URL isn't active yet.
Thanks for clearing this up! I'm very happy this is not triggerable via a malicious email :) Thomas
