POPFile before 0.22.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors involving character sets within e-mail messages.
Debian has chosen to patch (DSA 1061-1) Otherwise, 0.22.4 is out http://popfile.sourceforge.net/cgi-bin/wiki.pl?ReleaseNotes/0.22.4
CCing mcummings in order to progress on this vuln. (and adding CVE id)
POPfile 0.22.4 has been committed to the tree. It will need stabilising on x86. Best regards, Stu
Thx SuperStu. x86 please test and mark stable.
popfile installs, however its failing while trying to locate the Loader.. The following is the error: Can't Locate POPFile/Loader.pm at @INC (include is all the following locations, perl knows them). Begin failed--compilation aborted at /usr/share/popfile/popfile.pl line75. please advise.
Current stable fails the same way, and also doesn't work out of the box due to a bad chmod. The location of this file also sucks since it isn't in the user's path. I'm wondering if we should just put this back to ~x86 until it is more developed and easier to use.
Seems like a candidate for ~ rather than stable to me. Stuart please advise.
I removed "x86" from the only stable version we had, so now the only versions we have keyworded are ~x86. I put that version to -* so that the maintainers can decide when to drop it. So...we are done :)
Hi, The popfile-0.22.4 install is working fine locally. To run it, cd /usr/share/popfile && ./popfile.pl I'd like to see this version stable on x86, to provide an upgrade for everyone running the older version. Best regards, Stu
SupterStu, does that mean that pkg_postinst is out of date or does running it like /usr/share/popfile/popfile.pl also work? Security, since this is a B3 we at least need a vote on (mask) GLSA.
I just talked to Stuart and we worked out a way to get this to work so everyone is happy. He said he'll have time tomorrow to add the fix, and he'll mark it stable for us at the same time. He's just going to add a little wrapper script into /usr/bin/ so that it will do the cd and everything for the user, so it'll "Just Work" (TM) :) There are still some problems with it, but this will atleast make it a little better, imho.
(In reply to comment #11) > I just talked to Stuart and we worked out a way to get this to work so everyone > is happy. He said he'll have time tomorrow to add the fix, and he'll mark it > stable for us at the same time. stuart, any news on this ?
Sorry for the delay; I've been a bit unwell this week. popfile-0.22.4 is now in the tree and (with Mark's permission) has been marked stable on x86. Best regards, Stu
- removing x86 from CC - calling a vote for GLSA
I tend to vote NO.
yet another no
Why no GLSA? The affected version of the package was stable ... Best regards, Stu
Not all vulnerable stable packages automatically force a GLSA. The vulnerability treatment policy (http://www.gentoo.org/security/en/vulnerability-policy.xml) says that there should be a vote for certain ratings (one of them is B3, like this one). If you want a GLSA, you may comment this here and we might take you opinion into account (but don't have to).
One more "no".
Closing without GLSA, feel free to reopen if you disagree.
