Due to insufficient permission checks a authenticated user is able to delete arbitrary aliases. Upstream bug: https://github.com/postfixadmin/postfixadmin/pull/23 Upstream patch: https://github.com/svn2github/PostfixAdmin/commit/3b37e47b207f6f65b8dd22967c234ec518e3476a
@ Maintainer(s): Version in Gentoo repository (2.3.x) is _not_ affected. However, if you bump, please bump to >=www-apps/postfixadmin-3.0.2.
Now PMASKED and scheduled for removal in 30 days. If you are using www-apps/postfixadmin or want to keep the package in official Gentoo repository, it is now _your_ time to offer your help or this package will be removed in 30 days. Non-Gentoo developer who wants to help can contribute through the Gentoo Proxy Maintainers project. See https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started for more information.
as per #c1 "Version in Gentoo repository (2.3.x) is _not_ affected." Is removal really the way to go in this case? Note that this guide uses postfixadmin: https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/Admin_Support_Systems
You are right, 2.3.x is not affected. Nevertheless, package is unmaintained and we have to address bug 604182. We will see if the mask will bring us someone who cares about the package. If not I'll rev bump and only remove ZendFramework integration which basically removes the xmlrpc interface and lift the mask.
+1 I'm interested in this project cause set up mail server according to gentoo guide and refered to this topic after noticed the mask.
Just saw this come up as a package.mask removal message during an emerge @world. I'm starting from square one on this security issue, but I'd be willing to work on it if it means we can keep the package. Fixing the bug is sure to be less work than maintaining my mailserver without this tool. Wish the existence of this issue could have been announced sooner, perhaps via eselect news.
Non-Gentoo developer who wants to help can contribute through the Gentoo Proxy Maintainers project. See https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started for more information. There's already a request for maintainership, see bug 621236. However, that doesn't mean your contribution is no longer required. At the moment it is just a request. So please come up with a patch/pull request so that we can see that you are actual capable of maintaining the package. Also, it is always a good idea to work in teams. I encourage everyone who wants to help with postfixadmin to work together. More than one person can proxy-maintain the same package as long as you are working together.
Unaffected version committed, and mask removed. commit ac0e6ffd4e7879e451a7c0cef896e45fda46c47d Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Jun 15 21:05:03 2017 -0400 www-apps/postfixadmin: Version Bump Version bump to fix security bug 608726. Updated to EAPI 6. Added myself and Proxy Maintainers. All are welcome to improve this ebuild through Proxy Maintainers, but I will, ultimately, take care of it. Bugs: 608726, 621236, 600542. Package-Manager: Portage-2.3.5, Repoman-2.3.1
This was fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac0e6ffd4e7879e451a7c0cef896e45fda46c47d Package is no longer masked. Repository is clean, no affected version left in repository.