‘Deliver Mail Delivery Multiple Race Condition Vulnerabilities’
‘The information has been provided by Dan Rosenberg.
The original article can be found at: http://seclists.org/bugtraq/2010/Mar/211‘
* Deliver 2.1.14 and earlier versions
On systems using Deliver over NFS, these attacks can result in gaining root privileges via taking ownership of critical system files. On other systems, these attacks can result in denial-of-service conditions and information disclosure. In addition, users can deny service to other users by creating lockfiles for other users’ mailboxes.
Users are advised to discontinue use of Deliver in the absence of a patch or new release from the developer.
1/14/10 – Vulnerabilities discovered
1/27/10 – Developer notified
1/27/10 – Developer response, fix planned
3/20/10 – Fix deadlines repeatedly passed, disclosure date set at 3/24/10
3/24/10 – Disclosure’