Debian Security Advisory

DSA-1531-2 policyd-weight -- insecure temporary files

Date Reported:
27 Mar 2008
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2008-1569, CVE-2008-1570.
More information:

Chris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitrary files from the local system.

For the stable distribution (etch), this problem has been fixed in version 0.1.14-beta-6etch2.

The old stable distribution (sarge) does not contain a policyd-weight package.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your policyd-weight package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.