Package : uw-imap Version : 8:2007f~dfsg-4+deb8u1 CVE ID : CVE-2018-19518 Debian Bug : 914632 A vulnerability was discovered in uw-imap, the University of Washington IMAP Toolkit, that might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. This update disables access to IMAP mailboxes through running imapd over rsh, and therefore ssh for users of the client application. Code which uses the library can still enable it with tcp_parameters() after making sure that the IMAP server name is sanitized. For Debian 8 "Jessie", this problem has been fixed in version 8:2007f~dfsg-4+deb8u1. We recommend that you upgrade your uw-imap packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature