Author: dilinger-guest
Date: 2005-08-29 20:38:38 +0000 (Mon, 29 Aug 2005)
New Revision: 1721
Added:
data/DTSA/DTSA-11-1
Modified:
data/DTSA/list
Log:
add maildrop DTSA
Added: data/DTSA/DTSA-11-1
==================================================================---
data/DTSA/DTSA-11-1 2005-08-29 20:20:17 UTC (rev 1720)
+++ data/DTSA/DTSA-11-1 2005-08-29 20:38:38 UTC (rev 1721)
@@ -0,0 +1,50 @@
+-----------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-11-1 http://secure-testing.debian.net
+secure-testing-team@lists.alioth.debian.org Andres Salomon
+August 29th, 2005
+-----------------------------------------------------------------------------
+
+Package : maildrop
+Vulnerability : local privilege escalation
+Problem-Type : local
+Debian-specific: yes
+CVE ID : CAN-2005-2655
+
+The lockmail binary shipped with maildrop allows for an attacker to
+obtain an effective gid as group "mail". Debian ships the binary
with its
+setgid bit set, but the program does not drop privileges when run. It takes
+an argument that is executed, and since it does not drop privileges, an
+attacker can execute an arbitrary command with an effective gid of the
"mail"
+group.
+
+For the testing distribution (etch) this is fixed in version
+1.5.3-1.1etch1.
+
+For the unstable distribution (sid) this is fixed in version
+1.5.3-2.
+
+This upgrade is strongly recommended if you use maildrop.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+ deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+ deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+ apt-get update && apt-get install maildrop
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
+
Modified: data/DTSA/list
==================================================================---
data/DTSA/list 2005-08-29 20:20:17 UTC (rev 1720)
+++ data/DTSA/list 2005-08-29 20:38:38 UTC (rev 1721)
@@ -1,3 +1,6 @@
+[29 Aug 2005] DTSA-11-1 maildrop - local privilege escalation
+ {CAN-2005-2655}
+ - maildrop 1.5.3-1.1etch1 (high)
[01 Jan 1969] DTSA-10-1 pcre3 - buffer overflow
- pcre3 6.3-0.1etch1 (high)
NOTE: joeyh working on it