Am 11.02.2011 20:11, schrieb Adam Katz: > On 02/11/2011 03:39 AM, Giles Coochey wrote: >> Under CentOS spamass-milter appears to run as sa-milt. > > IIRC, Debian does this too. However, the -x flag may require running as > root, so it is possible (I have not verified) that it never downgrades > its privileges. > >> The Vulnerability is only active if the milter is run with the '-x' >> expand (for virtusertable / alias expansion) option. > > Correct. > >> While the project page is inactive, the distribution packages of >> spamass-milter often contain unofficial patches which expand its >> features, and wouldn't surprise me if they also fix this >> vulnerability. > > They did. That fix was also supposed to go upstream but accidentally > did not. > >> Anyone know whether the CentOS one is vulnerable? >> >> Name : spamass-milter >> Arch : i386 >> Version : 0.3.1 >> Release : 24.rhel5 > > You are all set. > > RHEL release 0.3.1-17 introduced the fix. 0.3.1-19 includes a related > zombie process fix (CVE-2010-1132). See changelog in: > http://rpmfind.net//linux/RPM/fedora/devel/rawhide/i386/spamass-milter-0.3.1-24.fc15.i686.html#Changelog >
whatever fixed in ubuntu lucid since last year +spamass-milter (0.3.1-10) unstable; urgency=low + + * Fix zombies which were happening with -x. (closes: #575019) + + -- Don Armstrong <d...@debian.org> Mon, 22 Mar 2010 14:39:12 -0700 + +spamass-milter (0.3.1-9) unstable; urgency=high + + * Call restorecon on the socket and pidfile directories to make SELinux + happy (thanks to Russell Coker) (closes: #518552) + * Document how to make inet:9999@127.0.0.1 work (closes: #519245) + * Document that using the -x option requires being in the smmsp group + (closes: #515158) + * Deal with inet:999 sockets (closes: #514749) + - handle them more sanely in the init script + - document how to deal with them in README.Debian and + /etc/spamass-milter/default + * Use new popenenv function instead of open; fixes remote code exploit + as the spamass-milter user when run using -x. (closes: #573228) + + -- Don Armstrong <d...@debian.org> Wed, 11 Mar 2009 03:59:39 -0700 + -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria