[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pkg/38349: Security update of policyd-weight to 0.1.14.17
>Synopsis: Security update of policyd-weight to 0.1.14.17
>Arrival-Date: Mon Mar 31 13:20:00 +0000 2008
>Originator: Bartosz Kuzma
Changes since 0.1.14.5:
- (security) Using File::Spec->canonpath for normalization (trailing slashes)
Check ownership of real directories to avoid race attacks
Thanks to Robert Buchholz.
0.1.14 beta-16 (not released)
- (security) The check for symlinked directories was half complete.
perl ignores -l if the argument has a trailung slash.
Thanks to Andrej Kacian.
- (security) $LOCKPATH and its contents weren't checked for being
a symlink which. Thanks to Chris Howells and Andrej Kacian.
- (fix) "dedicated" added to the exclusion list for dialup
checks. A better approach would be to let the user
configure dialup and exclude patterns.
- (change) rbls.org link changed to robtext.com
- (change) results with 'rc:' as action are not cached
- (fix) regexp check for dynamic helo/client did hit also some
clients with "static"
- (fix) helo numeric check was too fuzzy.
- (fix) master didn't read config after policyd-weight reload
- (fix) HELO_SEEMS_DIALUP may have scored even if the IP is listed
for the sender domain.
- (fix) An interrupt of policyd-weight -s may cause a SIGPIPE
which killed the cache
- (change) Implemented $NS list. Useful for users with split
- (fix) don't cache rejections which were deferred (4xx and friends)
- (fix) helo_numeric_score didn't catch [n.n.n.n] helos
- (fix) Header was not included if $dnsbl_checks_only = 1; and
$ADD_X_HEADER = 1; - Thanks to J. Genannt
- (fix) Corrected handling of [n.n.n.n] HELOs and address-literals
as sender (long standing issue)
- (change) Introduced @dnsbl_checks_only_regexps in order to skip
DNS checks for certain client hostnames
- (change) Added -D (Don't detach) switch for daemon-tools/runit users
- (change) Added signals handlers for most of signals so that they are
at least logged, also, provide a perl backtrace.
- (change) prerequisite steps for providing coredumps (build coredump
directories, chdir) - coredumps are non-trivial:
we start as root, change uid. At this moment coredumps
are denied by kernel in order to protect root-data. The only
workaround would be, to start cache and master via system()
after changing uid
- (change) In daemon mode wrongly crafted policy requests don't lead
to a child-exit anymore, only the connection is closed
- (change) log-facilities other than 'info' are now mentioned in log-lines
- (change) SMTP information such as client, helo, sender and to are now
logged in each log-message. If $DEBUG is set this also logs
the instance variable.
- (fix) rbl_lookup used sometimes 65536 as packet id which appeared
to cause problems
- (fix) Check for syslog absence. If syslog is not available then
log temporarily to $LOCKPATH/polw-emergency.log
- (tmpfix) Introduced $TRY_BALANCE which closes connections to smtpds after
they got their response in order to avoid too many established
smtpd->policyd-weight (child) connections.
RCS file: /cvsroot/pkgsrc/mail/policyd-weight/Makefile,v
retrieving revision 18.104.22.168
diff -r22.214.171.124 Makefile
< DISTNAME= policyd-weight-0.1.14.5
> DISTNAME= policyd-weight-0.1.14.17
< MAINTAINER= bartosz%atom.eu.org@localhost
> MAINTAINER= bartosz.kuzma%gmail.com@localhost
RCS file: /cvsroot/pkgsrc/mail/policyd-weight/distinfo,v
retrieving revision 126.96.36.199
diff -r188.8.131.52 distinfo
< SHA1 (policyd-weight-0.1.14.5.tar.gz) =
< RMD160 (policyd-weight-0.1.14.5.tar.gz) =
< Size (policyd-weight-0.1.14.5.tar.gz) = 50043 bytes
> SHA1 (policyd-weight-0.1.14.17.tar.gz) =
> RMD160 (policyd-weight-0.1.14.17.tar.gz) =
> Size (policyd-weight-0.1.14.17.tar.gz) = 54942 bytes
Main Index |
Thread Index |