Request 747751: Submit mailutils - openSUSE Build Service

Overview

Request 747751 accepted

- Update to mailutils 3.8
* The maidag utility is withdrawn (CVE-2019-18862, bsc#1156495)
The main purpose of this utility was to work as local mail delivery
agent (MDA), a program responsible for final delivery of email messages
to the recipient's mailbox. As such it required suid privileges.
In parallel with its main purpose, it also was able to work in two
other modes: the 'url' mode, designed to deliver mails to arbitrary
mailbox URLs, and 'lmtp' mode, in which it acted as local mail
transport daemon. Neither of these needed suid privileges.
The unfortunate design decision to combine the three modes in a single
versatile tool resulted in local privilege escalation threat in 'url'
mode.
To fix this, maidag has been replaced by three different utilities,
each one with a precisely defined purpose and carefully designed
privileges: mda, lmtpd, and putmail.
* mda
* lmtpd
* putmail
* Use of TLS in pop3d run from inetd
* comsatd --test
* mail
** fix the semantics of 'hold' and 'keepsave' variables
** New message type specification ":s"

Created by WernerFink over 4 years ago
In state accepted

Submit mailutils

Comments for request 747751 0

Login required, please login in order to comment

Request History

WernerFink created request over 4 years ago

- Update to mailutils 3.8
* The maidag utility is withdrawn (CVE-2019-18862, bsc#1156495)
The main purpose of this utility was to work as local mail delivery
agent (MDA), a program responsible for final delivery of email messages
to the recipient's mailbox. As such it required suid privileges.
In parallel with its main purpose, it also was able to work in two
other modes: the 'url' mode, designed to deliver mails to arbitrary
mailbox URLs, and 'lmtp' mode, in which it acted as local mail
transport daemon. Neither of these needed suid privileges.
The unfortunate design decision to combine the three modes in a single
versatile tool resulted in local privilege escalation threat in 'url'
mode.
To fix this, maidag has been replaced by three different utilities,
each one with a precisely defined purpose and carefully designed
privileges: mda, lmtpd, and putmail.
* mda
* lmtpd
* putmail
* Use of TLS in pop3d run from inetd
* comsatd --test
* mail
** fix the semantics of 'hold' and 'keepsave' variables
** New message type specification ":s"

factory-auto added opensuse-review-team as a reviewer over 4 years ago

Please review sources

factory-auto accepted review over 4 years ago

Check script succeeded

licensedigger accepted review over 4 years ago

ok

dimstar accepted review over 4 years ago

staging-bot set openSUSE:Factory:Staging:H as a staging project over 4 years ago

Being evaluated by staging project "openSUSE:Factory:Staging:H"

staging-bot accepted review over 4 years ago

Picked openSUSE:Factory:Staging:H

dimstar_suse accepted review over 4 years ago

ready to accept

dimstar_suse approved review over 4 years ago

ready to accept

dimstar_suse accepted request over 4 years ago

Accept to openSUSE:Factory

openSUSE Build Service is sponsored by