file-4.22 is now available
Christos Zoulas
christos at zoulas.com
Fri Dec 28 17:15:04 EET 2007
On Dec 28, 3:08pm, Mark.Martinec+amavis at ijs.si (Mark Martinec) wrote:
-- Subject: Re: file-4.22 is now available
| Christos,
|
| > ftp://ftp.astron.com/pub/file/file-4.22.tar.gz
|
| Looks like you forgot to take out the old problematic regexps
| (as I wrote some time ago):
|
| 100 regex/c =^\\s*call\\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text
| 100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text
|
| while providing the fixed ones:
|
| 100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text
| 100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text
|
| so the CVE-2007-2026 DoS vulnerability is still applicable to 4.22.
|
| See:
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2026
| http://www.amavis.org/security/asa-2007-3.txt
|
Thanks, I removed them. I don't know how they got in...
christos
More information about the File
mailing list