[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Problem with last Hylafax update (notify script)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


After updating hylafax by YOU, in SuSE 9.3, to version 
"hylafax-4.2.1-4.3", notify email is not sent:


  Jan 25 21:23:11 nimrodel FaxSend[8086]: MODEM U.S. ROBOTICS 56K FAX /
  Jan 25 21:23:11 nimrodel FaxSend[8086]: SEND FAX: JOB 11 DEST 915811939 COMMID 000000023 DEVICE '/dev/modem'
  Jan 25 21:24:50 nimrodel FaxSend[8086]: SEND FAX: JOB 11 SENT in 1:17
  Jan 25 21:24:51 nimrodel FaxQueuer[7765]: NOTIFY: bin/notify "doneq/q11" "done" "1:55"
  Jan 25 21:24:52 nimrodel FaxQueuer[7765]: NOTIFY exit status: 0 (8135)
* Jan 25 21:24:51 nimrodel postfix/sendmail[8143]: fatal: No recipient addresses found in message header
  Jan 25 21:25:08 nimrodel FaxGetty[7745]: MODEM U.S. ROBOTICS 56K FAX /


This patch modified precisely the notify script:

| Longdescription.english:
| This update fixes an issue in the hylafax notify script,
| which could maybe be used by remote attackers with a valid
| faxuser account to run arbitrary commands.


I would recommend not to apply it till SuSE corrects the problem. I'll 
probably roll back.


- -- 
Cheers,
       Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFD1/3mtTMYHG2NR9URAtRhAJwNKXwBx/zXD+fDY4IFp/Ivs5aHjwCfVpff
ULmUIV9ndb9mpr6LmQTA/Ss=
=EDj0
-----END PGP SIGNATURE-----


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here