Debian: DSA-1981-2: New maildrop packages fix regression

    Date28 Jan 2010
    CategoryDebian
    113
    Posted ByLinuxSecurity Advisories
    The latest DSA for maildrop introduced two regressions. The maildrop program stopped working when invoked as a non-root user, such as with postfix. Also, the lenny version dropped a dependency on the courier-authlib package.
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1981-2                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Steffen Joeris
    January 28, 2010                      http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : maildrop
    Vulnerability  : privilege escalation
    Problem type   : local
    Debian-specific: no
    CVE Id         : CVE-2010-0301
    Debian Bug     : 564601
    
    The latest DSA for maildrop introduced two regressions. The maildrop
    program stopped working when invoked as a non-root user, such as with
    postfix. Also, the lenny version dropped a dependency on the
    courier-authlib package.
    
    
    For the stable distribution (lenny), this problem has been fixed in
    version 2.0.4-3+lenny3.
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 2.0.2-11+etch2.
    
    For the testing distribution (squeeze) this problem will be fixed soon.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 2.2.0-3.1.
    
    For reference, the original advisory text is below.
    
    Christoph Anton Mitterer discovered that maildrop, a mail delivery agent
    with filtering abilities, is prone to a privilege escalation issue that
    grants a user root group privileges.
    
    We recommend that you upgrade your maildrop packages.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2.dsc
        Size/MD5 checksum:      736 280d7371f21cd78c4977d65967f4695c
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2.diff.gz
        Size/MD5 checksum:    13965 269c15cb493be7357dc5d8a8acbad25d
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2.orig.tar.gz
        Size/MD5 checksum:  3217622 d799e44aa65027a02343e5e08b97f3a0
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_alpha.deb
        Size/MD5 checksum:   398482 c4dcbec55c55dff97a738617b367f517
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_amd64.deb
        Size/MD5 checksum:   363478 94687bb12867af71bcf9680f089e422f
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_arm.deb
        Size/MD5 checksum:   350004 513a26c626071a4d58abbbc22a7f9f4b
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_hppa.deb
        Size/MD5 checksum:   388388 ce6100257045fe40df77af384d5d2b51
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_i386.deb
        Size/MD5 checksum:   355890 07f603a68d05bf05f9fad916f9de51e0
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_ia64.deb
        Size/MD5 checksum:   470078 78f1972ef14698a20d5c181b90dd31e7
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_mipsel.deb
        Size/MD5 checksum:   376390 678ed61359f44e3bb9161d03e4b6675f
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_powerpc.deb
        Size/MD5 checksum:   358184 c76433b354ed838938340a06a7f93cd2
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4.orig.tar.gz
        Size/MD5 checksum:  3566630 78e6c27afe7eff9e132b8bc20087aae7
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3.diff.gz
        Size/MD5 checksum:   807850 15846a840e3bad8301778630d7e7bf24
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3.dsc
        Size/MD5 checksum:     1137 826da92ceb403b0e0778c3609c109a1e
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_alpha.deb
        Size/MD5 checksum:   402062 21c37f944be6d5b02544acb17c521681
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_amd64.deb
        Size/MD5 checksum:   371772 18b875356d68e326c51decf8061eff99
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_hppa.deb
        Size/MD5 checksum:   389098 c59222e68d068e2d68db475854b8f52d
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_i386.deb
        Size/MD5 checksum:   359508 340a509db515cd0d4e9af017871d0f80
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_ia64.deb
        Size/MD5 checksum:   466646 826d66a3b3bc85492bf45f9552db15ca
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_mips.deb
        Size/MD5 checksum:   375330 c0c80404e33608fdc46d007d7ad97c08
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_mipsel.deb
        Size/MD5 checksum:   376072 ece64fb17424086e64dd5cb84604f80b
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_powerpc.deb
        Size/MD5 checksum:   379196 3cd9eb52eb8a14feebd37be8578f467f
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":51.32,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.47,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"26","type":"x","order":"3","pct":34.21,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.