[Esd-l] [slackware-security] metamail security update (SSA:2004-049-02) (fwd)

Sergio P. Cesar sergio at winc.net
Tue Feb 24 15:58:43 PST 2004 

> A security fix you should be aware of if you are doing (or planning on
> doing) attachment scanning.
>
> Other distributions will no doubt be making similar announcements.
>
> I have NOT updated the metamail source packages I host. I hope to do
> so sometime this week.
>
> Sorry for the delay reposting this.

Is there any other way to do attachment scanning without the metamail
package? RH 9 does not have it.

Sergio



>
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
> 				-- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
>    39 days until the Slovakian Presidential Election
>
> ---------- Forwarded message ----------
> Date: Wed, 18 Feb 2004 04:38:25 -0800 (PST)
> From: Slackware Security Team <security at slackware.com>
> To: slackware-security at slackware.com
> Subject: [slackware-security]  metamail security update (SSA:2004-049-02)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [slackware-security]  metamail security update (SSA:2004-049-02)
>
> Metamail is a set of utilities for processing MIME mail.
>
> New metamail packages are available for Slackware 8.1, 9.0, 9.1,
> and -current.  These fix two format string bugs and two buffer
> overflows which could lead to unauthorized code execution.
>
> Thanks to Ulf Hdrnhammar for discovering these problems and
> providing a patch.
>
> More details about this issue may be found in the Common
> Vulnerabilities and Exposures (CVE) database:
>
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0104
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0105
>
>
> Here are the details from the Slackware 9.1 ChangeLog:
> +--------------------------+
> Wed Feb 18 03:44:42 PST 2004
> patches/packages/metamail-2.7-i486-2.tgz:  Patched two format string
>   bugs and two buffer overflows in metamail which could lead to
>   unauthorized code execution.  Thanks to Ulf Hdrnhammar for discovering
>   these problems and providing a patch.
>   (* Security fix *)
> +--------------------------+
>
>
> WHERE TO FIND THE NEW PACKAGE:
> +-----------------------------+
>
> Updated package for Slackware 8.1:
> ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/metamail-2.7-i386-2.tgz
>
> Updated package for Slackware 9.0:
> ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/metamail-2.7-i386-2.tgz
>
> Updated package for Slackware 9.1:
> ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/metamail-2.7-i486-2.tgz
>
> Updated package for Slackware -current:
> ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/metamail-2.7-i486-2.tgz
>
>
> MD5 SIGNATURES:
> +-------------+
>
> Slackware 8.1 package:
> 2472a9ac8eefc7d919c0dff517651be6  metamail-2.7-i386-2.tgz
>
> Slackware 9.0 package:
> 4f283c4ad8429fd0e9ed92f3e95e93c7  metamail-2.7-i386-2.tgz
>
> Slackware 9.1 package:
> d9947ffb77c68930ed4826dfab4af91b  metamail-2.7-i486-2.tgz
>
> Slackware -current package:
> d9947ffb77c68930ed4826dfab4af91b  metamail-2.7-i486-2.tgz
>
>
> INSTALLATION INSTRUCTIONS:
> +------------------------+
>
> Upgrade the metamail package with upgradepkg:
>
> # upgradepkg metamail-2.7-i486-2.tgz
>
>
> +-----+
>
> Slackware Linux Security Team
> http://slackware.com/gpg-key
> security at slackware.com
>
> +------------------------------------------------------------------------+
> | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
> +------------------------------------------------------------------------+
> | Send an email to majordomo at slackware.com with this text in the body of |
> | the email message:                                                     |
> |                                                                        |
> |   unsubscribe slackware-security                                       |
> |                                                                        |
> | You will get a confirmation message back.  Follow the instructions to  |
> | complete the unsubscription.  Do not reply to this message to          |
> | unsubscribe!                                                           |
> +------------------------------------------------------------------------+
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFAM1qGakRjwEAQIjMRAuVOAKCI9kSqYBMEHtEW6xu6lUPcOPTRKgCfRoZt
> sks+bl+KqOmhTdbnfMfMepE=
> =yisA
> -----END PGP SIGNATURE-----
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list