|
|
| Problem Description |
Jens Steube discovered two vulnerabilities in masqmail:
When sending failed mail messages, the address was not properly
sanitized which could allow a local attacker to execute arbitrary
commands as the mail user (CAN-2005-2662).
When opening the log file, masqmail did not relinquish privileges,
which could allow a local attacker to overwrite arbitrary files via a
symlink attack (CAN-2005-2663).
The updated packages have been patched to address these issues.
| Updated Packages |
Multi Network Firewall 2.0
368d7259f0d1663f24ab0d96ef316520 mnf/2.0/RPMS/masqmail-0.2.18-3.1.M20mdk.i586.rpm 53c6095a108ea52147909091b262517f mnf/2.0/SRPMS/masqmail-0.2.18-3.1.M20mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2663
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.