Re: [AMaViS-user] First public pre-release (-pre2)

This is a discussion on Re: [AMaViS-user] First public pre-release (-pre2) within the Amavis User forums, part of the Anti-Spam and Anti-Virus Related Forums category; Leon, > > Sometimes I wonder why we bother and keep writing > > software and preparing patches, especially with &...


Go Back   Usenet Forums > Anti-Spam and Anti-Virus Related Forums > Amavis User

Reload this Page Re: [AMaViS-user] First public pre-release (-pre2)

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-24-2007
Mark Martinec
 
Posts: n/a
Default Re: [AMaViS-user] First public pre-release (-pre2)
Leon,

> > Sometimes I wonder why we bother and keep writing
> > software and preparing patches, especially with
> > security-related stuff...
>
> You're right here.
> The problem is that it takes so much long for OS maintainers
> to release a new ver.
> For Suse for example, the latest version available is
> perl-Convert-UUlib-1.051-31 (even from opensuse factory).
>
> I'd prefer to grab newer .src.rpm and compile it on my system, but
> unfortunately there is no 1.06 version for the OS I'm currently running
> mail server on.

Well, it is easy for me to drop a requirement for 1.06
and continue being happy with 1.05. The only reason for
a requirement are security concerns. The uulib has a rather
buggy history, but is quite useful for the duties it performs
in decoding malformed messages.

The uulib was target for exploits in the past,
the last one with known exploitable bugs is 1.04,
which is why 1.05 used to be a minimal required version
up to amavisd 2.4.4.

Looking at its change log, both the 1.05 and the 1.06 look like
potential candidates for future attacks:

1.08(1.07):
fixed an uninitialised variable ...

1.06:
fix some signed/unsigned char problems of unknown relevance


I guess I'll be removing a requirement for 1.06,
for the amount of trouble it is causing:

--- amavisd.orig Tue Jan 23 17:13:25 2007
+++ amavisd Wed Jan 24 16:01:18 2007
@@ -16479,4 +16479,3 @@
# avoid an exploitable security hole in Convert::UUlib 1.04 and older!
- # avoid likely security holes in Convert::UUlib 1.051 and older
-use Convert::UUlib 1.06 qw(:constants);
+use Convert::UUlib 1.05 qw(:constants); # 1.08 or newer is preferred!
use Compress::Zlib 1.35; # avoid security vulnerability in <= 1.34


Mark

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:46 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0