Problem with last Hylafax update (notify script)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After updating hylafax by YOU, in SuSE 9.3, to version "hylafax-4.2.1-4.3", notify email is not sent: Jan 25 21:23:11 nimrodel FaxSend[8086]: MODEM U.S. ROBOTICS 56K FAX / Jan 25 21:23:11 nimrodel FaxSend[8086]: SEND FAX: JOB 11 DEST 915811939 COMMID 000000023 DEVICE '/dev/modem' Jan 25 21:24:50 nimrodel FaxSend[8086]: SEND FAX: JOB 11 SENT in 1:17 Jan 25 21:24:51 nimrodel FaxQueuer[7765]: NOTIFY: bin/notify "doneq/q11" "done" "1:55" Jan 25 21:24:52 nimrodel FaxQueuer[7765]: NOTIFY exit status: 0 (8135) * Jan 25 21:24:51 nimrodel postfix/sendmail[8143]: fatal: No recipient addresses found in message header Jan 25 21:25:08 nimrodel FaxGetty[7745]: MODEM U.S. ROBOTICS 56K FAX / This patch modified precisely the notify script: | Longdescription.english: | This update fixes an issue in the hylafax notify script, | which could maybe be used by remote attackers with a valid | faxuser account to run arbitrary commands. I would recommend not to apply it till SuSE corrects the problem. I'll probably roll back. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD1/3mtTMYHG2NR9URAtRhAJwNKXwBx/zXD+fDY4IFp/Ivs5aHjwCfVpff ULmUIV9ndb9mpr6LmQTA/Ss= =EDj0 -----END PGP SIGNATURE-----
Carlos - thanx for posting it to this list - I upgraded but since have not used the server yet so I did not even notice it. I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as well - Rather then rolling back the whole update I have just restored the old notify script to make it work again - have not had the time to look through the changes yet to see why it breaks. SuSE - please fix it... Best regards Hubba On Wed, 25 Jan 2006 23:38:19 +0100 (CET), Carlos E. R. wrote
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
After updating hylafax by YOU, in SuSE 9.3, to version "hylafax-4.2.1-4.3", notify email is not sent:
Jan 25 21:23:11 nimrodel FaxSend[8086]: MODEM U.S. ROBOTICS 56K FAX /
Jan 25 21:23:11 nimrodel FaxSend[8086]: SEND FAX: JOB 11 DEST 915811939 COMMID 000000023 DEVICE '/dev/modem' Jan 25 21:24:50 nimrodel FaxSend[8086]: SEND FAX: JOB 11 SENT in 1:17 Jan 25 21:24:51 nimrodel FaxQueuer[7765]: NOTIFY: bin/notify "doneq/q11" "done" "1:55" Jan 25 21:24:52 nimrodel FaxQueuer[7765]: NOTIFY exit status: 0 (8135) * Jan 25 21:24:51 nimrodel postfix/sendmail[8143]: fatal: No recipient addresses found in message header Jan 25 21:25:08 nimrodel FaxGetty[7745]: MODEM U.S. ROBOTICS 56K FAX /
This patch modified precisely the notify script:
| Longdescription.english: | This update fixes an issue in the hylafax notify script, | which could maybe be used by remote attackers with a valid | faxuser account to run arbitrary commands.
I would recommend not to apply it till SuSE corrects the problem. I'll probably roll back.
- -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFD1/3mtTMYHG2NR9URAtRhAJwNKXwBx/zXD+fDY4IFp/Ivs5aHjwCfVpff ULmUIV9ndb9mpr6LmQTA/Ss= =EDj0 -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2006-01-27 at 13:30 -0000, Hubertus A. Haniel wrote:
Carlos - thanx for posting it to this list - I upgraded but since have not used the server yet so I did not even notice it.
I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as well - Rather then rolling back the whole update I have just restored the old notify script to make it work again - have not had the time to look through the changes yet to see why it breaks.
Thanks! Due to the lack of comments, I starting to think I was alone.
SuSE - please fix it...
I wonder if they noticed; they didn't post the announce for this one yet. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD2jQztTMYHG2NR9URAvw3AJsGRJ8GjJJYdd3oLbzhn3+9I/ujcgCeI0Vg Zdfd8Jziu+GKrmojdM3xRVs= =E1yI -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2006-01-27 at 13:30 -0000, Hubertus A. Haniel wrote:
Carlos - thanx for posting it to this list - I upgraded but since have not used the server yet so I did not even notice it.
I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as well - Rather then rolling back the whole update I have just restored the old notify script to make it work again - have not had the time to look through the changes yet to see why it breaks.
Thanks! Due to the lack of comments, I starting to think I was alone.
SuSE - please fix it...
I wonder if they noticed; they didn't post the announce for this one yet.
- --
I have filed it in the Novell Bugzilla but I have not to much faith that they will accept the bug unless somebody reproduces this on the 10.0/10.1 distros. Best regards Hubba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2006-01-27 at 22:00 -0000, Hubertus A. Haniel wrote:
I have filed it in the Novell Bugzilla but I have not to much faith that they will accept the bug unless somebody reproduces this on the 10.0/10.1 distros.
It is a bug introduced by the last security update, therefore, it is the responsibility of SuSE folks to undo it. I forwarded it to "security at suse.de", but so far, not even an acknowledgment. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD2rzVtTMYHG2NR9URAlLeAJ9xvYjA9D05jEOWCXOfkXFL0W353QCfffiW k6x4qsozWnPS2mp3Aj+FEo0= =vvDN -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2006-01-27 at 22:00 -0000, Hubertus A. Haniel wrote:
I have filed it in the Novell Bugzilla but I have not to much faith that they will accept the bug unless somebody reproduces this on the 10.0/10.1 distros.
It is a bug introduced by the last security update, therefore, it is the responsibility of SuSE folks to undo it. I forwarded it to "security at suse.de", but so far, not even an acknowledgment.
I completely agree with your statement but unfortunatly I had different experiences with Novell (not SuSE) recently where it was difficult to get something fixed on a older platform especially if it is a component which is not part of SLES if it was not a security issue. Best regards Hubba
On Sat, Jan 28, 2006 at 02:08:21AM +0000, Hubertus A. Haniel wrote:
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2006-01-27 at 22:00 -0000, Hubertus A. Haniel wrote:
I have filed it in the Novell Bugzilla but I have not to much faith that they will accept the bug unless somebody reproduces this on the 10.0/10.1 distros.
It is a bug introduced by the last security update, therefore, it is the responsibility of SuSE folks to undo it. I forwarded it to "security at suse.de", but so far, not even an acknowledgment.
I completely agree with your statement but unfortunatly I had different experiences with Novell (not SuSE) recently where it was difficult to get something fixed on a older platform especially if it is a component which is not part of SLES if it was not a security issue.
Yes, we usually do not fix bugs for older SUSE Linux versions that are not critical. The hylafax issue will be fixed however. ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-01-28 at 19:28 +0100, Marcus Meissner wrote:
Yes, we usually do not fix bugs for older SUSE Linux versions that are not critical.
It is a bug introduced by the last security update: | ## Patch description of patch 60ef4c14b4dab97c3635e66c75926796 | Kind: security ... | Longdescription.english: | This update fixes an issue in the hylafax notify script, | which could maybe be used by remote attackers with a valid | faxuser account to run arbitrary commands. | Hsilgne.noitpircsedgnol: It renders part of the package non warkable, we have to revert to the older, unsecure, rpm version. It affects, as far as I know, 9.2 and 9.3 - perhaps more.
The hylafax issue will be fixed however.
Thanks. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD29CXtTMYHG2NR9URAge4AJ95xdgbKpBMGn7FXtxxZ4RXrHPx3gCfeqqh b6micH9np33604DGFoGBYiE= =/Atg -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Saturday 2006-01-28 at 19:28 +0100, Marcus Meissner wrote:
Yes, we usually do not fix bugs for older SUSE Linux versions that are not critical.
It is a bug introduced by the last security update:
| ## Patch description of patch 60ef4c14b4dab97c3635e66c75926796 | Kind: security ... | Longdescription.english: | This update fixes an issue in the hylafax notify script, | which could maybe be used by remote attackers with a valid | faxuser account to run arbitrary commands. | Hsilgne.noitpircsedgnol:
It renders part of the package non warkable, we have to revert to the older, unsecure, rpm version.
It affects, as far as I know, 9.2 and 9.3 - perhaps more.
The hylafax issue will be fixed however.
I have also had a report of somebody having reproduced this on 10.0 OSS now. Regards Hubba
participants (3)
-
Carlos E. R.
-
Hubertus A. Haniel
-
Marcus Meissner