pkg/42839: Vulnerable mail/maildrop package in pkgsrc-current (version 2.0.4nb3)

[bughunting%xs4all.nl@localhost]

>Number:         42839
>Category:       pkg
>Synopsis:       Vulnerable mail/maildrop package in pkgsrc-current (version 
>2.0.4nb3)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 18 01:20:00 +0000 2010
>Originator:     Bug Hunting
>Release:        
>Organization:
>Environment:
>Description:
The mail/maildrop package in pkgsrc-current, being at version 2.0.4nb3,
is vulnerable and should therefore be updated.
>How-To-Repeat:
Update pkgsrc-current, then:

$ cd /usr/pkgsrc/mail/maildrop/
$ make package-name | xargs /usr/pkg/sbin/pkg_admin -v audit-pkg -e
Package maildrop-2.0.4nb3 has a privilege-escalation vulnerability, see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0301
>Fix:
Update the package to at least version 2.4; the `2010-01-14'-entry at
<http://www.courier-mta.org/maildrop/changelog.html> states that this is
the version in which the vulnerability has been fixed.  (While being
there, updating to the latest release, 2.4.1, could of course better be
done.)

No actual details on such upgrade provided here.

Also, related to this, the pkg-vulnerabilities file should be altered to
indicate that only maildrop versions lower than 2.4 are vulnerable; to
accomplish this, the first column in the line
``maildrop-[0-9]*         privilege-escalation            
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0301'' should be
changed accordingly.