==================================A0Deliver, multiple vulnerabilites
=A0March 24, 2010
Deliver (http://deliver.sourceforge.net/), a mail delivery program
root as /usr/bin/deliver, is vulnerable to several race conditions that can be
exploited by a local attacker using symbolic links.=A0 On systems using Deliver
over NFS, these attacks can result in gaining root privileges via
of critical system files.=A0 On other systems, these attacks can result in
denial-of-service conditions and information disclosure.=A0 In addition, users can
deny service to other users by creating lockfiles for other users' mailboxes.
Users are advised to discontinue use of Deliver in the absence of a patch or
new release from the developer.
These vulnerabilities were discovered by Dan Rosenberg
1/14/10 - Vulnerabilities discovered
1/27/10 - Developer notified
1/27/10 - Developer response, fix planned
3/20/10 - Fix deadlines repeatedly passed, disclosure date set at 3/24/10
3/24/10 - Disclosure
CVE identifier CVE-2010-0439 has been assigned to these issues.