lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Mar 2010 10:09:10 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: bugtraq@...urityfocus.com Subject: Multiple vulnerabilities in Deliver ================================== Deliver, multiple vulnerabilites March 24, 2010 CVE-2010-0439 ================================== ==Description== Deliver (http://deliver.sourceforge.net/), a mail delivery program installed suid root as /usr/bin/deliver, is vulnerable to several race conditions that can be exploited by a local attacker using symbolic links. On systems using Deliver over NFS, these attacks can result in gaining root privileges via taking ownership of critical system files. On other systems, these attacks can result in denial-of-service conditions and information disclosure. In addition, users can deny service to other users by creating lockfiles for other users' mailboxes. ==Solution== Users are advised to discontinue use of Deliver in the absence of a patch or new release from the developer. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg@...il.com). ==Timeline== 1/14/10 - Vulnerabilities discovered 1/27/10 - Developer notified 1/27/10 - Developer response, fix planned 3/20/10 - Fix deadlines repeatedly passed, disclosure date set at 3/24/10 3/24/10 - Disclosure ==References== CVE identifier CVE-2010-0439 has been assigned to these issues.
Powered by blists - more mailing lists