Carlos - thanx for posting it to this list - I upgraded but since have not used the server yet so I did not even notice it. I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as well - Rather then rolling back the whole update I have just restored the old notify script to make it work again - have not had the time to look through the changes yet to see why it breaks. SuSE - please fix it... Best regards Hubba On Wed, 25 Jan 2006 23:38:19 +0100 (CET), Carlos E. R. wrote
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
After updating hylafax by YOU, in SuSE 9.3, to version "hylafax-4.2.1-4.3", notify email is not sent:
Jan 25 21:23:11 nimrodel FaxSend[8086]: MODEM U.S. ROBOTICS 56K FAX /
Jan 25 21:23:11 nimrodel FaxSend[8086]: SEND FAX: JOB 11 DEST 915811939 COMMID 000000023 DEVICE '/dev/modem' Jan 25 21:24:50 nimrodel FaxSend[8086]: SEND FAX: JOB 11 SENT in 1:17 Jan 25 21:24:51 nimrodel FaxQueuer[7765]: NOTIFY: bin/notify "doneq/q11" "done" "1:55" Jan 25 21:24:52 nimrodel FaxQueuer[7765]: NOTIFY exit status: 0 (8135) * Jan 25 21:24:51 nimrodel postfix/sendmail[8143]: fatal: No recipient addresses found in message header Jan 25 21:25:08 nimrodel FaxGetty[7745]: MODEM U.S. ROBOTICS 56K FAX /
This patch modified precisely the notify script:
| Longdescription.english: | This update fixes an issue in the hylafax notify script, | which could maybe be used by remote attackers with a valid | faxuser account to run arbitrary commands.
I would recommend not to apply it till SuSE corrects the problem. I'll probably roll back.
- -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFD1/3mtTMYHG2NR9URAtRhAJwNKXwBx/zXD+fDY4IFp/Ivs5aHjwCfVpff ULmUIV9ndb9mpr6LmQTA/Ss= =EDj0 -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here