pkg/38349: Security update of policyd-weight to 0.1.14.17

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/38349: Security update of policyd-weight to 0.1.14.17
From: bartosz.kuzma%gmail.com@localhost
Date: Mon, 31 Mar 2008 13:20:00 +0000 (UTC)

>Number:         38349
>Category:       pkg
>Synopsis:       Security update of policyd-weight to 0.1.14.17
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 31 13:20:00 +0000 2008
>Originator:     Bartosz Kuzma
>Release:        4.0
>Organization:
>Environment:
>Description:
Changes since 0.1.14.5:

0.1.14 beta-17

- (security)  Using File::Spec->canonpath for normalization (trailing slashes)
              Check ownership of real directories to avoid race attacks
              for symlinks.
              Thanks to Robert Buchholz.        

0.1.14 beta-16 (not released)

- (security)  The check for symlinked directories was half complete.
              perl ignores -l if the argument has a trailung slash.
              Thanks to Andrej Kacian.

 
0.1.14 beta-15

- (security)  $LOCKPATH and its contents weren't checked for being
              a symlink which. Thanks to Chris Howells and Andrej Kacian.

- (fix)       "dedicated" added to the exclusion list for dialup
              checks. A better approach would be to let the user
              configure dialup and exclude patterns.


0.1.14 beta-14

- (change)    rbls.org link changed to robtext.com

- (change)    results with 'rc:' as action are not cached

- (fix)       regexp check for dynamic helo/client did hit also some
              clients with "static"

- (fix)       helo numeric check was too fuzzy.

- (fix)       master didn't read config after policyd-weight reload


- (fix)       HELO_SEEMS_DIALUP may have scored even if the IP is listed
              for the sender domain.

- (fix)       An interrupt of policyd-weight -s may cause a SIGPIPE
              which killed the cache


- (change)    Implemented $NS list. Useful for users with split
              horizon DNS

- (fix)       don't cache rejections which were deferred (4xx and friends)


- (fix)       helo_numeric_score didn't catch [n.n.n.n] helos


- (fix)       Header was not included if $dnsbl_checks_only = 1; and
              $ADD_X_HEADER = 1; - Thanks to J. Genannt

- (fix)       Corrected handling of [n.n.n.n] HELOs and address-literals
              as sender (long standing issue)

- (change)    Introduced @dnsbl_checks_only_regexps in order to skip
              DNS checks for certain client hostnames

- (change)    Added -D (Don't detach) switch for daemon-tools/runit users

- (change)    Added signals handlers for most of signals so that they are
              at least logged, also, provide a perl backtrace.

- (change)    prerequisite steps for providing coredumps (build coredump
              directories, chdir) - coredumps are non-trivial:
              we start as root, change uid. At this moment coredumps
              are denied by kernel in order to protect root-data. The only 
              workaround would be, to start cache and master via system() 
              after changing uid

- (change)    In daemon mode wrongly crafted policy requests don't lead
              to a child-exit anymore, only the connection is closed

- (change)    log-facilities other than 'info' are now mentioned in log-lines

- (change)    SMTP information such as client, helo, sender and to are now
              logged in each log-message. If $DEBUG is set this also logs
              the instance variable.

- (fix)       rbl_lookup used sometimes 65536 as packet id which appeared
              to cause problems

- (fix)       Check for syslog absence. If syslog is not available then
              log temporarily to $LOCKPATH/polw-emergency.log

- (tmpfix)    Introduced $TRY_BALANCE which closes connections to smtpds after
              they got their response in order to avoid too many established
              smtpd->policyd-weight (child) connections.
>How-To-Repeat:

>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/mail/policyd-weight/Makefile,v
retrieving revision 1.1.1.1
diff -r1.1.1.1 Makefile
4c4
< DISTNAME=             policyd-weight-0.1.14.5
---
> DISTNAME=             policyd-weight-0.1.14.17
8c8
< MAINTAINER=           bartosz%atom.eu.org@localhost
---
> MAINTAINER=           bartosz.kuzma%gmail.com@localhost
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/mail/policyd-weight/distinfo,v
retrieving revision 1.1.1.1
diff -r1.1.1.1 distinfo
3,5c3,5
< SHA1 (policyd-weight-0.1.14.5.tar.gz) = 
f913aee3813bdc9f6fd67da1c586e2ea80122fae
< RMD160 (policyd-weight-0.1.14.5.tar.gz) = 
bb5db4aa41cfcf6282a4d140ba9fd7b67e35e2bf
< Size (policyd-weight-0.1.14.5.tar.gz) = 50043 bytes
---
> SHA1 (policyd-weight-0.1.14.17.tar.gz) = 
> 8b260869cc0206ba72f750d57df24df1de905a08
> RMD160 (policyd-weight-0.1.14.17.tar.gz) = 
> c668feedab8d4df85502eb0258f0924b20c1fcbb
> Size (policyd-weight-0.1.14.17.tar.gz) = 54942 bytes

Prev by Date: pkg/38347: ejabberd doesn't start after reboot
Next by Date: pkg/38350: archivers/dar fails on build
Previous by Thread: pkg/38347: ejabberd doesn't start after reboot
Next by Thread: pkg/38350: archivers/dar fails on build
Indexes:

Home | Main Index | Thread Index | Old Index