[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Problem with last Hylafax update (notify script)
Carlos - thanx for posting it to this list - I upgraded but since have not used
the server yet so I did not even notice it.
I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as
well - Rather then rolling back the whole update I have just restored the old
notify script to make it work again - have not had the time to look through the
changes yet to see why it breaks.
SuSE - please fix it...
On Wed, 25 Jan 2006 23:38:19 +0100 (CET), Carlos E. R. wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> After updating hylafax by YOU, in SuSE 9.3, to version
> "hylafax-4.2.1-4.3", notify email is not sent:
> Jan 25 21:23:11 nimrodel FaxSend: MODEM U.S. ROBOTICS 56K FAX /
> Jan 25 21:23:11 nimrodel FaxSend: SEND FAX: JOB 11 DEST
> 915811939 COMMID 000000023 DEVICE '/dev/modem'
> Jan 25 21:24:50 nimrodel FaxSend: SEND FAX: JOB 11 SENT in 1:17
> Jan 25 21:24:51 nimrodel FaxQueuer: NOTIFY: bin/notify
> "doneq/q11" "done" "1:55"
> Jan 25 21:24:52 nimrodel FaxQueuer: NOTIFY exit status: 0 (8135)
> * Jan 25 21:24:51 nimrodel postfix/sendmail: fatal: No recipient
> addresses found in message header
> Jan 25 21:25:08 nimrodel FaxGetty: MODEM U.S. ROBOTICS 56K FAX /
> This patch modified precisely the notify script:
> | Longdescription.english:
> | This update fixes an issue in the hylafax notify script,
> | which could maybe be used by remote attackers with a valid
> | faxuser account to run arbitrary commands.
> I would recommend not to apply it till SuSE corrects the problem. I'll
> probably roll back.
> - --
> Carlos Robinson
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
> -----END PGP SIGNATURE-----
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here