Date: Tue, 11 Mar 2003 18:59:47 +0100 From: "Guy P." <guy@device.dyndns.org> To: freebsd-security@FreeBSD.ORG Subject: Re: Prov. patch for the file hole ISS disclosed Message-ID: <5.1.1.6.0.20030311185258.04022810@device.dyndns.org> In-Reply-To: <20030311174126.GA57179@madman.celabo.org> References: <5.2.0.9.2.20030311113159.0386fea0@localhost> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 18:41 11/03/2003, Jacques A. Vidrine wrote: >On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > >Thanks! However, this has already been fixed in -CURRENT (by import > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > >time for 4.8-RELEASE. > > > > I think this should be merged into the security branches, > > due to possible remote exploit by third party programs that > > use file, such as (at the very least) amavis. > >I tend to agree. > >David? FYI, amavis people just released a SA where they state "We expect that all distributors of free UNIX(R)-like operating systems will address the issue shortly." See http://marc.theaimsgroup.com/?l=amavis-user&m=104740298431088&w=2 Also wanted to mention that amavis provide a way to run its processes as a non-root user, but it take some work to achieve, so we can expect some people will have "delayed" doing so ( just as i did until i realized what implications it had :] ) -- G.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20030311185258.04022810>