rpms/ssmtp/devel ssmtp-bcc-fix.patch, NONE, 1.1 ssmtp-password-leak.patch, NONE, 1.1 ssmtp-ssl.certificate.nomatch.patch, NONE, 1.1 ssmtp.spec, 1.4, 1.5
Manuel Wolfshant (wolfy)
fedora-extras-commits at redhat.com
Fri Dec 8 00:10:24 UTC 2006
Author: wolfy
Update of /cvs/extras/rpms/ssmtp/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15358
Modified Files:
ssmtp.spec
Added Files:
ssmtp-bcc-fix.patch ssmtp-password-leak.patch
ssmtp-ssl.certificate.nomatch.patch
Log Message:
security fix - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369542
ssmtp-bcc-fix.patch:
--- NEW FILE ssmtp-bcc-fix.patch ---
--- ssmtp-2.61.redhat/ssmtp.c 2006-12-08 01:25:35.000000000 +0200
+++ ssmtp-2.61.debian/ssmtp.c 2006-12-08 01:24:25.000000000 +0200
@@ -708,6 +704,10 @@
else if(strncasecmp(ht->string, "Bcc:", 4) == 0) {
p = (ht->string + 4);
rcpt_parse(p);
+ /* Undo adding the header to the list: */
+ free(ht->string);
+ ht->string = NULL;
+ return;
}
else if(strncasecmp(ht->string, "CC:", 3) == 0) {
p = (ht->string + 3);
ssmtp-password-leak.patch:
--- NEW FILE ssmtp-password-leak.patch ---
--- ssmtp-2.61.redhat/ssmtp.c 2006-12-08 01:25:35.000000000 +0200
+++ ssmtp-2.61.debian/ssmtp.c 2006-12-08 01:24:25.000000000 +0200
@@ -1404,6 +1406,7 @@
struct passwd *pw;
int i, sock;
uid_t uid;
+ bool_t minus_v_save;
int timeout = 0;
outbytes = 0;
@@ -1520,7 +1523,12 @@
#ifdef MD5AUTH
}
#endif
+ /* We do NOT want the password output to STDERR
+ * even base64 encoded.*/
+ minus_v_save = minus_v;
+ minus_v = False;
outbytes += smtp_write(sock, "%s", buf);
+ minus_v = minus_v_save;
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == False) {
ssmtp-ssl.certificate.nomatch.patch:
--- NEW FILE ssmtp-ssl.certificate.nomatch.patch ---
--- ssmtp-2.61.redhat/ssmtp.c 2006-12-08 01:25:35.000000000 +0200
+++ ssmtp-2.61.debian/ssmtp.c 2006-12-08 01:24:25.000000000 +0200
@@ -1138,10 +1138,12 @@
return(-1);
}
+#ifdef NOT_USED
if(!SSL_CTX_check_private_key(ctx)) {
log_event(LOG_ERR, "Private key does not match the certificate public key\n");
return(-1);
}
+#endif
}
#endif
Index: ssmtp.spec
===================================================================
RCS file: /cvs/extras/rpms/ssmtp/devel/ssmtp.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- ssmtp.spec 28 Nov 2006 03:44:40 -0000 1.4
+++ ssmtp.spec 8 Dec 2006 00:09:53 -0000 1.5
@@ -1,6 +1,6 @@
Name: ssmtp
Version: 2.61
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: Extremely simple MTA to get mail off the system to a Mailhub
Group: Applications/Internet
License: GPL
@@ -10,6 +10,9 @@
Patch0: %{name}-%{version}.6.patch
Patch1: %{name}-2.50.3-maxsysuid.patch
Patch2: %{name}-defaultvalues.patch
+Patch3: %{name}-ssl.certificate.nomatch.patch
+Patch4: %{name}-password-leak.patch
+Patch5: %{name}-bcc-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Provides: MTA smtpdaemon %{_sbindir}/sendmail
Requires(post): %{_sbindir}/alternatives
@@ -32,6 +35,9 @@
%patch -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
%build
@@ -105,6 +111,11 @@
%changelog
+* Fri Dec 08 2006 lonely wolf <wolfy at nobugconsulting.ro> 2.61-11
+- fix security leak (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369542 )
+- include more patches from debian (report an error in treating Bcc: addresses and if the SSL certificate does not match )
+
+%changelog
* Tue Nov 28 2006 lonely wolf <wolfy at nobugconsulting.ro> 2.61-10
- fix silly typo in changelog
More information about the fedora-extras-commits
mailing list