Date: Fri, 28 Mar 2008 01:27:56 +0100 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: Thijs Kinkhorst <thijs@...ian.org>, Andrej Kacian <ticho@...too.org>, chris@...ishowells.co.uk Subject: CVE request: policyd-weight insecure temporary file creation Hey all, quoting DSA-1531-1: Chris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitary files from the local system. References: http://www.us.debian.org/security/2008/dsa-1531 https://bugs.gentoo.org/show_bug.cgi?id=214403 http://www.policyd-weight.org/ Please note that the 0.1.14.15 release and the patch introduced in the Debian package do not properly fix this vulnerability, it still contains a race condition. See the Gentoo bug for details. Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.