savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] bug classified critical about mailx package

From: mathieu
Subject: Re: [Savannah-hackers] bug classified critical about mailx package
Date: Sun, 21 Apr 2002 00:31:06 +0200 
in fact, it was said that the debian mailx is the openbsd mailx...


Le dim 21 avr 2002 à  0h27, Loic Dachary a écrit :


        Upgraded mailx on subversions, although we're not running
OpenBSD ;-)

mathieu writes:
 > http://bugs.debian.org/cgi-bin/bugreport.cgi?ar\&bug=143152
 >
 >
 > Package: mailx
 > Severity: critical
 > Tags: security patch upstream
 >
 >          From http://www.deadly.org/article.php3?sid=20020413161803
 >
 > "The mail(1) program can be made to execute arbitrary code in non
 > interactive mode. this can be exploited using cron and the system
 > startup scripts (by any local user with no privs) a patch is and
 > advisory is available on the advisory page."
 >
 >          /usr/share/doc/mailx/copyright says "It is now based on
 >          OpenBSD in directory src/usr.bin/mail ...", so we're
likely to
 >          be vulnerable.
 >
 >   The deadly.org page contains an exploit, and OpenBSD has
 >          a patch ready.
 >
 >
 > ====> maybe the subversion.gnu.org should be updated.

--
Loic   Dachary         http://www.dachary.org/  address@hidden
12 bd  Magenta         http://www.senga.org/      address@hidden
75010    Paris         T: 33 1 42 45 07 97          address@hidden
        GPG Public Key: http://www.dachary.org/loic/gpg.txt



--
mathieu

 (( http://humeur.coleumes.org ))
 (( http://gpg.coleumes.org GPG KEY ))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]