hylafax (3:6.0.7-3.1) unstable; urgency=medium
* NMU
* Bug fix: "FTBFS: Incompatible TIFF Library.", thanks to Lucas Nussbaum
(Closes: #978220).
* Bug fix: "CVE-2020-15397 CVE-2020-15396", thanks to Moritz Muehlenhoff
(Closes: #964198):
- The faxsetup utility
calls chown on files in user-owned directories.
By winning a race, a local attacker could use
this to escalate his privileges to root.
- Scripts that execute binaries from directories
writable by unprivileged users (e.g., locations under
/var/spool/hylafax that are
writable by the uucp account). This allows these users to
execute code in the context of the user calling these binaries
(often root).
-- Bastien Roucariès <email address hidden> Wed, 13 Jan 2021 13:00:13 +0000