[Mimedefang] SECURITY: MIMEDefang 2.61 is Released
David F. Skoll
dfs at roaringpenguin.com
Fri Feb 9 13:18:49 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
There is a problem with MIMEDefang 2.59 and 2.60 which could lead to a
denial-of-service attack, or possibly even arbitrary code execution as
the "defang" user. If you are running 2.59 or 2.60, you're strongly encouraged
to upgrade to 2.61, available at http://www.mimedefang.org/node.php?id=1
Please note that versions 2.58 and earlier do NOT have the vulnerability.
I will release specific details of the problem in one week's time.
Here is the changelog since 2.60.
2007-02-09 David F. Skoll <dfs at roaringpenguin.com>
* VERSION 2.61 RELEASED
* SECURITY FIX: Versions 2.59 and 2.60 contained a programming
error that could lead to a buffer overflow. This is definitely
exploitable as a denial-of-service attack, and potentially may
allow arbitrary code execution. The bug is fixed in 2.61.
* mimedefang.c: If a message is going to end up being rejected,
discarded or tempfailed, we don't bother carrying out requests
to add/delete/modify headers or recipients, change the message
2007-02-02 David F. Skoll <dfs at roaringpenguin.com>
* VERSION 2.60 RELEASED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the MIMEDefang