[hylafax-users] Ghostscript vulnerability

[Lee Howard <faxguy@xxxxxxxxxxxxxxxx>]

This shouldn't cause any gross alarm to anyone, but as a security 
measure all HylaFAX administrators should be aware of a Ghostscript 
vulnerability announced today on bugtraq.  The announcement does not 
state whether or not the Ghostscript development team has corrected the 
issue or not, but I do see various distributions coming out with their 
own patched versions of Ghostscript.

If you would like to follow this, I've started a bugzilla entry with 
Ghostscript's development team here:

http://bugs.ghostscript.com/show_bug.cgi?id=689730

In any case, I would advise all HylaFAX administrators to watch 
Ghostscript updates for their distributions during the next several 
days.  Update and test HylaFAX (especially sending) afterwards.  If you 
installed Ghostscript from source or from some other place which does 
not provide updates, then you should keep an eye on that bugzilla entry 
for a fix or extract and use a patch being used by one of the 
distributions for this issue.

The vulnerability for HylaFAX deployments is mitigated by the amount of 
trust in the allowed fax senders.  If your sender pool is quite 
restricted and well-trusted then your exposure is quite limited.  If 
your sender pool is quite open and untrusted (i.e. TPC cells) then you 
may be at greater risk.

Thanks,

Lee.


____________________ HylaFAX(tm) Users Mailing List _______________________
 To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
 *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*