Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
A vulnerability with an unknown impact has been reported in ASSP. The vulnerability is caused due to an unspecified error within assp.pl. No further details are available. The vulnerability is reported in version 1.3.3.
CC'ing maintainer and setting whiteboard status.
I will see about getting 1.3.3.1 into tree ASAP
1.3.3.1 is in tree. Could use some testing, and once others sign off, we can look to rush stabilize to address vulnerability. Sorry for delay in bump, have to make a large patch which has to be mirrored due to size :(
Thx William. What do you mean by "and once others sign off"? Is it ready for stable marking or not?
(In reply to comment #4) > Thx William. What do you mean by "and once others sign off"? I would like others to test and confirm if it's stable or it's condition. Just today I ran into an issue, and bumped it to -r2. Not sure how I did not run into that locally, and it did start for me, or so I imagined :) > Is it ready for stable marking or not? I would say not, but I am putting it on some low volume/importance mail servers for testing. Trying to confirm it's stability or not ASAP. But since this is pretty much all me this time with creating the patches, and modifying paths etc. I would like others feedback that use ASSP. How to get their attention?
Sorry accidentally clicked radio button and changed status
I completely screwed up 1.3.1, I will take another stab at it tomorrow.
Ok finally got it right this time I believe. I have it running on two production mail severs and so far so good. So 1.3.3.1-r3 should be good to go. Not sure how long it will take for patches to be mirrored or etc, but they have been uploaded to d.g.o. Otherwise, I guess we can go ahead and look to stabilize now. I would still like a few others to test and comment. But in their absence unless I run into any issues in the next day or so. We can proceed with stabilization.
Ok I got some pier review and had a few things off path wise in my patch. Mostly effected admin web gui, but still. The new 1.3.3.1-r4 that I just committed should be good to go. Sorry about all this. Would be much easier if upstream supported absolute paths vs relative, so we could split things up easier for FHS. Unfortunately upstream seems to be developing ASSP on windows. So their are likely stuck with a single dir due to that platform. :( Not receptive to absolute path or split layout requests :(
Thanks william. Arches, please test and mark stable mail-filter/assp-1.3.3.1-r4: target keywords are "amd64 x86"
Based on Secunia's advisory I propose B3.
!!! Couldn't download 'assp-1.3.3.1-r4.patch.tbz2'. Aborting.
Back to ebuild to get the patches mirrored.
Odd others got patches without a problem. I re-uploaded the patch to d.g.o so it would be picked up and mirrored. Hopefully that did the trick. Also it seems we can close this bug. I got confirmation from upstream the security issue was specific to 1.3.3 which was never in tree. Much less we would not have been effected since we run assp as assp:assp with perms on /etc/assp so only it has access to it. http://sourceforge.net/mailarchive/message.php?msg_name=1189636482.18987.34.camel%40wlt.obsidian-studios.com Requesting this bug be closed as invalid. I think I can do that, but don't want to deviate from security's procedures or etc. So will leave to another to mark as invalid and close :)
well okay, if we're not affected, no need to keep it open. closing as invalid.
