[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Rem
From: |
Dan Nelson |
Subject: |
Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt |
Date: |
Fri, 11 Feb 2011 00:08:26 -0600 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
In the last episode (Feb 10), Don Armstrong said:
> On Thu, 10 Feb 2011, Adam Katz wrote:
> > On 02/10/2011 10:21 AM, David F. Skoll wrote:
> > > Aieee.... popen() in security-sensitive software!??!??
> > >
> > > Also, why does the milter process run as root? That seems like a huge
> > > hole all by itself.
> >
> > Does this affect sendmail as well as postfix?
>
> It only affects you if you're running with -x. This was patched in
> Debian and Redhat in March of 2010.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228
I thought I committed the patch to CVS, but apparently hadn't. It's
committed now, and I'll do a release this weekend.
--
Dan Nelson
address@hidden