[Mimedefang] SECURITY: MIMEDefang 2.61 is Released

David F. Skoll dfs at roaringpenguin.com
Fri Feb 9 13:18:49 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

There is a problem with MIMEDefang 2.59 and 2.60 which could lead to a
denial-of-service attack, or possibly even arbitrary code execution as
the "defang" user.  If you are running 2.59 or 2.60, you're strongly encouraged
to upgrade to 2.61, available at http://www.mimedefang.org/node.php?id=1

Please note that versions 2.58 and earlier do NOT have the vulnerability.

I will release specific details of the problem in one week's time.
Here is the changelog since 2.60.

Regards,

David.

2007-02-09  David F. Skoll  <dfs at roaringpenguin.com>

	* VERSION 2.61 RELEASED

	* SECURITY FIX: Versions 2.59 and 2.60 contained a programming
	error that could lead to a buffer overflow.  This is definitely
	exploitable as a denial-of-service attack, and potentially may
	allow arbitrary code execution.  The bug is fixed in 2.61.

	* mimedefang.c: If a message is going to end up being rejected,
	discarded or tempfailed, we don't bother carrying out requests
	to add/delete/modify headers or recipients, change the message
	body, etc.

2007-02-02  David F. Skoll  <dfs at roaringpenguin.com>

	* VERSION 2.60 RELEASED


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFzLsIwYQuKhJvQuARArQVAKCKgXooceSHuKsVC03TzG9HDCVUogCgkc8A
t4Jb86vqoR0QDi/uLbFVypg=
=Ohi+
-----END PGP SIGNATURE-----


More information about the MIMEDefang mailing list