[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Problem with last Hylafax update (notify script)

To: "Carlos E. R." <robin1.listas@xxxxxxxxxx>, SuSE Security List <suse-security@xxxxxxxx>
Subject: Re: [suse-security] Problem with last Hylafax update (notify script)
From: "Hubertus A. Haniel" <hubba@xxxxxxxxxxxx>
Date: Fri, 27 Jan 2006 13:30:01 +0000
Delivered-to: mailing list suse-security@xxxxxxxx
In-reply-to: <Pine.LNX.4.61.0601252324590.8192@xxxxxxxxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <Pine.LNX.4.61.0601252324590.8192@xxxxxxxxxxxxxxxx>

Carlos - thanx for posting it to this list - I upgraded but since have not used
the server yet so I did not even notice it.

I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as
well - Rather then rolling back the whole update I have just restored the old
notify script to make it work again - have not had the time to look through the
changes yet to see why it breaks.

SuSE - please fix it...


Best regards
Hubba





On Wed, 25 Jan 2006 23:38:19 +0100 (CET), Carlos E. R. wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> After updating hylafax by YOU, in SuSE 9.3, to version 
> "hylafax-4.2.1-4.3", notify email is not sent:
> 
>   Jan 25 21:23:11 nimrodel FaxSend[8086]: MODEM U.S. ROBOTICS 56K FAX /
> 
>   Jan 25 21:23:11 nimrodel FaxSend[8086]: SEND FAX: JOB 11 DEST 
> 915811939 COMMID 000000023 DEVICE '/dev/modem'
>   Jan 25 21:24:50 nimrodel FaxSend[8086]: SEND FAX: JOB 11 SENT in 1:17
>   Jan 25 21:24:51 nimrodel FaxQueuer[7765]: NOTIFY: bin/notify 
> "doneq/q11" "done" "1:55"
>   Jan 25 21:24:52 nimrodel FaxQueuer[7765]: NOTIFY exit status: 0 (8135)
> * Jan 25 21:24:51 nimrodel postfix/sendmail[8143]: fatal: No recipient 
> addresses found in message header
>   Jan 25 21:25:08 nimrodel FaxGetty[7745]: MODEM U.S. ROBOTICS 56K FAX /
> 
> This patch modified precisely the notify script:
> 
> | Longdescription.english:
> | This update fixes an issue in the hylafax notify script,
> | which could maybe be used by remote attackers with a valid
> | faxuser account to run arbitrary commands.
> 
> I would recommend not to apply it till SuSE corrects the problem. I'll 
> probably roll back.
> 
> - -- 
> Cheers,
>        Carlos Robinson
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
> 
> iD8DBQFD1/3mtTMYHG2NR9URAtRhAJwNKXwBx/zXD+fDY4IFp/Ivs5aHjwCfVpff
> ULmUIV9ndb9mpr6LmQTA/Ss=
> =EDj0
> -----END PGP SIGNATURE-----
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] Problem with last Hylafax update (notify script)
  - From: Carlos E. R.

References:
- [suse-security] Problem with last Hylafax update (notify script)
  - From: Carlos E. R.

Prev by Date: [suse-security] Error compiling kernel with exec-shield patch
Next by Date: Re: [suse-security] Problem with last Hylafax update (notify script)
Previous by thread: [suse-security] Problem with last Hylafax update (notify script)
Next by thread: Re: [suse-security] Problem with last Hylafax update (notify script)
Index(es):
- Date
- Thread