Support / Security / Advisories / Multi Network Firewall 2.0 / MDKSA-2005:168

Package name: masqmail
Date: 2005-09-20
Advisory ID: MDKSA-2005:168
Affected versions: MNF2.0 i586

Problem description

Jens Steube discovered two vulnerabilities in masqmail: When sending failed mail messages, the address was not properly sanitized which could allow a local attacker to execute arbitrary commands as the mail user (CAN-2005-2662). When opening the log file, masqmail did not relinquish privileges, which could allow a local attacker to overwrite arbitrary files via a symlink attack (CAN-2005-2663). The updated packages have been patched to address these issues.

Updated packages

MNF2.0 i586

 368d7259f0d1663f24ab0d96ef316520  mnf/2.0/RPMS/masqmail-0.2.18-3.1.M20mdk.i586.rpm
53c6095a108ea52147909091b262517f  mnf/2.0/SRPMS/masqmail-0.2.18-3.1.M20mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2663