On 10/02/2011 22:01, David F. Skoll wrote:
On Fri, 11 Feb 2011 09:50:05 +1300 Jason Haar<jason.h...@trimble.co.nz> wrote:That exploit is dated Mar 2010? Has this really not been fixed in about a year???If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/, it looks like the last release was in 2006. It looks like that project is abandoned.
Not quite abandoned: *From*: Dan Nelson*Subject*: Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
*Date*: Fri, 11 Feb 2011 00:08:26 -0600 *User-agent*: Mutt/1.5.21 (2010-09-15) ------------------------------------------------------------------------ In the last episode (Feb 10), Don Armstrong said:
/ On Thu, 10 Feb 2011, Adam Katz wrote:/ / > On 02/10/2011 10:21 AM, David F. Skoll wrote:/ / > > Aieee.... popen() in security-sensitive software!??!??/ / > > / / > > Also, why does the milter process run as root? That seems like a huge/ / > > hole all by itself./ / > / / > Does this affect sendmail as well as postfix?/ / / / It only affects you if you're running with -x. This was patched in/ / Debian and Redhat in March of 2010./ / / / http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228/
I thought I committed the patch to CVS, but apparently hadn't. It's
committed now, and I'll do a release this weekend.
--
Dan Nelson
address@hidden
--
Best Regards,
Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: gi...@coochey.net
Skype: gilescoochey
smime.p7s
Description: S/MIME Cryptographic Signature
