Marc Merlin wrote: [..] > > > > Red Hat has recently released a Security Advisory (RHSA-1999:030-01) > > covering a buffer overflow in the vixie cron package. Debian has > > discovered this bug two years ago and fixed it. Therefore versions in > > both, the stable and the unstable, distributions of Debian are not > > vulnerable to this problem.. > > Does anyone know if Debian never sent the fix to Paul Vixie, or if it was > sent and Paul "missed it"? I'm not sure what or how it happened, but in FreeBSD at least this problem was solved differently, and quite some time ago. FreeBSD's cron doesn't supply the arguments to sendmail, it uses sendmail -t and prints the recipient name in the To: header, letting sendmail decide if it's a valid recipient address or not. revision 1.3 date: 1995/04/14 21:54:16; author: ache; state: Exp; lines: +3 -2 Fix MAILTO hole by passing -t to sendmail Submitted by: Mike Pritchard <pritc003at_private> Cheers, -Peter -- Peter Wemm - peterat_private; peter@yahoo-inc.com; peterat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:04 PDT