The lockmail binary shipped with maildrop allows for an attacker to
obtain an effective gid as group "mail". Debian ships the binary with its
setgid bit set, but the program does not drop privileges when run. It takes
an argument that is executed, and since it does not drop privileges, an
attacker can execute an arbitrary command with an effective gid of the "mail"
group.
For the testing distribution (etch) this is fixed in version 1.5.3-1.1etch1
For the unstable distribution (sid) this is fixed in version 1.5.3-2
This upgrade is recommended if you use maildrop.
If you have the secure testing lines in your sources.list, you can update by running this command as root:
apt-get update && apt-get install maildrop
To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free
