Date: Fri, 1 May 2009 09:17:24 -0500 From: Jamie Strandboge <jamie@...onical.com> To: coley@...us.mitre.org Cc: oss-security@...ts.openwall.com Subject: CVE Request: clamav-milter on Ubuntu Due to a typo, the clamav-milter initscript would change the owner of the current directory to clamav (or whatever User is set to in clamd.conf). This typically affects the '/' directory, but could affect any directory on the system. This is all documented in the Ubuntu bug. This was introduced in this commit: http://git.debian.org/?p=pkg-clamav/clamav.git;a=commitdiff;h=c4e1bf5d98637c0219852eaac768170bf8aef2fc;hp=5a2b5013440c4b81d0eb3233072c88564a15fc5d 0.95.1+dfsg-1ubuntu1 and 0.95.1+dfsg-1ubuntu1.1 on Ubuntu 9.04 are affected, but earlier versions are not. It looks like Debian never released with this code, and version 0.95.1+dfsg-2 (in Debian/unstable) is not affected. Derivatives of Ubuntu 9.04 are presumably affected. Can we get a CVE for this? Jamie  https://bugs.launchpad.net/bugs/365823 -- Jamie Strandboge | http://www.canonical.com Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ