Mailinglist Archive: opensuse-security (78 mails)

< Previous Next >
Re: [suse-security] Problem with last Hylafax update (notify script)
  • From: "Hubertus A. Haniel" <hubba@xxxxxxxxxxxx>
  • Date: Fri, 27 Jan 2006 13:30:01 +0000
  • Message-id: <20060127131807.M4668@xxxxxxxxxxxx>
Carlos - thanx for posting it to this list - I upgraded but since have not used
the server yet so I did not even notice it.

I like to confirm that this is a problem on SuSE 9.2 with hylafax-4.2.0-5.4 as
well - Rather then rolling back the whole update I have just restored the old
notify script to make it work again - have not had the time to look through the
changes yet to see why it breaks.

SuSE - please fix it...


Best regards
Hubba





On Wed, 25 Jan 2006 23:38:19 +0100 (CET), Carlos E. R. wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> After updating hylafax by YOU, in SuSE 9.3, to version
> "hylafax-4.2.1-4.3", notify email is not sent:
>
> Jan 25 21:23:11 nimrodel FaxSend[8086]: MODEM U.S. ROBOTICS 56K FAX /
>
> Jan 25 21:23:11 nimrodel FaxSend[8086]: SEND FAX: JOB 11 DEST
> 915811939 COMMID 000000023 DEVICE '/dev/modem'
> Jan 25 21:24:50 nimrodel FaxSend[8086]: SEND FAX: JOB 11 SENT in 1:17
> Jan 25 21:24:51 nimrodel FaxQueuer[7765]: NOTIFY: bin/notify
> "doneq/q11" "done" "1:55"
> Jan 25 21:24:52 nimrodel FaxQueuer[7765]: NOTIFY exit status: 0 (8135)
> * Jan 25 21:24:51 nimrodel postfix/sendmail[8143]: fatal: No recipient
> addresses found in message header
> Jan 25 21:25:08 nimrodel FaxGetty[7745]: MODEM U.S. ROBOTICS 56K FAX /
>
> This patch modified precisely the notify script:
>
> | Longdescription.english:
> | This update fixes an issue in the hylafax notify script,
> | which could maybe be used by remote attackers with a valid
> | faxuser account to run arbitrary commands.
>
> I would recommend not to apply it till SuSE corrects the problem. I'll
> probably roll back.
>
> - --
> Cheers,
> Carlos Robinson
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQFD1/3mtTMYHG2NR9URAtRhAJwNKXwBx/zXD+fDY4IFp/Ivs5aHjwCfVpff
> ULmUIV9ndb9mpr6LmQTA/Ss=
> =EDj0
> -----END PGP SIGNATURE-----
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >
Follow Ups
References