[MacPorts] #49044: Patch/Update procmail because of CVE-2014-3618
MacPorts
noreply at macports.org
Fri Oct 2 04:15:04 PDT 2015
#49044: Patch/Update procmail because of CVE-2014-3618
-----------------------+--------------------------------
Reporter: sierkb@… | Owner: macports-tickets@…
Type: update | Status: new
Priority: High | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: procmail |
-----------------------+--------------------------------
Comment (by sierkb@…):
Replying to [comment:1 ryandesign@…]:
> CVE-2014-3618 appears to be from last year.
Yes.
> The Homebrew ticket you reference doesn't seem to talk about any CVE. It
just seems to be the request to add a procmail package to Homebrew.
Yes. But I think, it's irrelevant for MacPorts. I've only mentioned
Homebrew's action to highlight and stress, that there obviously seems to
be a need for an up-to-date and security-fixed procmail on OS X. MacPorts
already provides a procmail port (which this ticket is about to trigger an
update to fix a security issue filed in CVE-2014-3618), Homebrew so far
not provides procmail at all – until now.
> Part of their ticket seems to talk about using Apple's patched procmail
sources instead of the 14-year-old version 3.22 that we currently use.
Yes. See above.
Sources to a fix (as it seems, it might be a very small fix) are given on
the webpage of the CVE page of MITRE and NIST given above.
> Are you claiming that Apple has already fixed the problems mentioned in
this CVE in their sources?
No. Apple seems to have "fixed" it by entirely removing procmail instead
of fixing it, and so from their point of view nothing more to fix for
them, problem "solved":
procmail
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in procmail
Description: Multiple vulnerabilities existed in procmail versions prior
to 3.22. These issues were addressed
by ''removing'' procmail.
CVE-ID
CVE-2014-3618
--
Ticket URL: <https://trac.macports.org/ticket/49044#comment:2>
MacPorts <https://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list