主题: 紧急:请大家尽快更新 iRedAPD 至 1.3.3 版本以修正安全漏洞
Hi, all.
iRedAPD-1.3.2 及之前的版本被发现有安全漏洞,在此强烈建议所有使用了 iRedAPD 的用户都更新到 1.3.3 版本。
** 问题描述 **
引用自论坛网友 “rizkiwicaksono”:
"When plugins got loaded by iredAPD, it automatically compiles source .py files into .pyc files for faster loading in the future. But unfortunately the compiled file permission is world writable (666 mode). Since iredAPD run as root (root privilege for iredapd is too much), attacker can replace PYC plugins file with maliciously crafted PYC files to execute code with root privilege."
"Attacker can prepare malicious PYC file on his own test box, then upload it to victim box and replace the original pyc file with his own."
如何修正
最简单的方法是直接全新安装 iRedAPD-1.3.3:
- 直接下载 iRedAPD-1.3.3:http://iredmail.googlecode.com/files/iR … .3.tar.bz2
- 安装指南 (for OpenLDAP backend): http://iredmail.org/wiki/index.php?titl … D/OpenLDAP
致谢
感谢论坛网友 rizkiwicaksono 的反馈,以及它制作的 YouTube 视频,和代码贡献。:)