[27773] in bugtraq
[Security Announce] Re: MDKSA-2002:076 - perl-MailTools update
daemon@ATHENA.MIT.EDU (Vincent Danen)
Fri Nov 8 17:57:36 2002
Date: Thu, 7 Nov 2002 18:38:23 -0700
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-16-430245472"
Mime-Version: 1.0 (Apple Message framework v546)
To: announce@mandrakesecure.net
From: Vincent Danen <vdanen@mandrakesoft.com>
In-Reply-To: <20021107232211.9410.qmail@updates.mandrakesoft.com>
Message-Id: <C524F2E3-F2BA-11D6-9834-00039344D6A2@mandrakesoft.com>
Content-Transfer-Encoding: 7bit
Reply-To: security-discuss@linux-mandrake.com
--Apple-Mail-16-430245472
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; delsp=yes; charset=US-ASCII; format=flowed
On Thursday, November 7, 2002, at 04:22 PM, Mandrake Linux Security
Team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> _______________________________________________________________________
> _
>
> Mandrake Linux Security Update Advisory
> _______________________________________________________________________
> _
>
> Package name: perl-MailTools
> Advisory ID: MDKSA-2002:076
> Date: November 7th, 2002
>
> Affected versions: 7.2, 8.0, 8.1, 8.2, 9.0
> _______________________________________________________________________
> _
>
> Problem Description:
>
> A vulnerability was discovered in Mail::Mailer perl module by the SuSE
> security team during an audit. The vulnerability allows remote
> attackers to execute arbitrary commands in certain circumstances due
> to the usage of mailx as the default mailer, a program that allows
> commands to be embedded in the mail body.
>
> This module is used by some auto-response programs and spam filters
> which make use of Mail::Mailer.
> _______________________________________________________________________
> _
>
> References:
>
> http://mail.python.org/pipermail/python-dev/2002-August/027223.html
> http://python.org/sf/590294
My apologies. These aren't the references for this vulnerability;
they're for the python vulnerability we're working on.
Sorry for the confusion.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
--Apple-Mail-16-430245472
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-disposition: inline
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)
iD8DBQE9yxWQIEPQ5f5vKv0RArHIAJ4jJxIxYtF325FSfDWfgcRfbZFg8gCdGhIA
bTqlBMWIsoGrRYeZTTpTJ/c=
=fQoN
-----END PGP SIGNATURE-----
--Apple-Mail-16-430245472--
