[Secure-testing-team] Status of unfixed security issues
Moritz Muehlenhoff
jmm at inutil.org
Wed Apr 6 19:31:01 UTC 2005
Andrew Pollock wrote:
> > > You should contact the MIA handling guys for this I think.
> >
> > openwebmail is already orphaned. I'll be making a QA upload once it hits the
> > 14 day mark.
> >
> > If the attached patch applies, I'll apply it as part of the QA upload.
>
> That said, I've read the bug, and apparently the patch doesn't fully address
> the issues in the bug. I'm inclined to lean towards reassigning the WNPP bug
> to ftp.debian.org and request its removal.
There are actually four security related bugs:
290848 - openwebmail chowns all perl scripts to suid root in the postinst!
297914 - openwebmail uses suidperl instead of perl (upstream documentation
seems to imply that it's mandatory, though)
291478 - insecure tempfile handling (maybe fixed upstream according to
changelog, but I'm not sure how complete
295756 - Cross Site Scripting issue CAN-2005-0445
But I just saw in 297919 that Peter Gervai offered to NMU with a more recent
version, maybe you he's interested in adopting and preparing a decent package.
Otherwise the removal from sid seems the best solution.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list