[SECURITY] [DLA 2234-1] netqmail security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : netqmail
Version : 1.06-6.2~deb8u1
CVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811
CVE-2020-3812
Debian Bug : 961060
There were several CVE bugs reported against src:netqmail.
CVE-2005-1513
Integer overflow in the stralloc_readyplus function in qmail,
when running on 64 bit platforms with a large amount of virtual
memory, allows remote attackers to cause a denial of service
and possibly execute arbitrary code via a large SMTP request.
CVE-2005-1514
commands.c in qmail, when running on 64 bit platforms with a
large amount of virtual memory, allows remote attackers to
cause a denial of service and possibly execute arbitrary code
via a long SMTP command without a space character, which causes
an array to be referenced with a negative index.
CVE-2005-1515
Integer signedness error in the qmail_put and substdio_put
functions in qmail, when running on 64 bit platforms with a
large amount of virtual memory, allows remote attackers to
cause a denial of service and possibly execute arbitrary code
via a large number of SMTP RCPT TO commands.
CVE-2020-3811
qmail-verify as used in netqmail 1.06 is prone to a
mail-address verification bypass vulnerability.
CVE-2020-3812
qmail-verify as used in netqmail 1.06 is prone to an
information disclosure vulnerability. A local attacker can
test for the existence of files and directories anywhere in
the filesystem because qmail-verify runs as root and tests
for the existence of files in the attacker's home directory,
without dropping its privileges first.
For Debian 8 "Jessie", these problems have been fixed in version
1.06-6.2~deb8u1.
We recommend that you upgrade your netqmail packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl7ZIC0ACgkQgj6WdgbD
S5adJRAAqABD/bss4FOrdns7jC9by/iOWaSL6W6ljy7NRBLmKvzLp+u4fBVeCW1g
on6W0m/tkQhpRBxQPdtDpqfza7ENDGQH73cuBxEMNTbxSlNJMAQHpAZrnvADV3dP
zb6lkRX6YbIjnXl2u5on1m+uej2t5QHidUsaAEtc7LyyKS8EX5YmKfwFQ/oKIfzB
e0v6KONgYwImeyKblLwIDiHe3CM7pJ1v5e93rw6K/EoP/tyrQ4UfN319aq7QURyt
8JWxiPi1mVVE5psM7Pv5XRZ7Q1naccvWH3qO5qt4MF7i4izTXAL4w04apUx2IH1N
dNFZwces0KgA2X5/rEDAGJjypZTetCbVziR5qPbMMD9U4VUKsXIOremMEJ3JdO+0
3fFY317LQMbtIWQ/kgTSUiGp24FNn1rkmLBXiQTv0yZ+pABYq0pggiPE4SDsvLoE
mW42AXHMDg3TKGvdbsMogXcodY1RJwNhMEtX2P8rUb3P6aX8jV5YSLScn4nYHvB5
yoIio38XRwYPfDY4rDhm4/mEeRc+H04UFVbZNSsOYbeyfutLwKu7hSKTT2rrLozn
x7O2QUPotnYguHOYmOxnkDb05Y5fZjqr/ZjRvFiE+GT4/VUEmODp4cQGHN7W8zPI
Ipl/yN69DKswW39z+a9mYtRAxHE+qfb/opepNDwSFXiK9+rgkh4=
=oWgt
-----END PGP SIGNATURE-----
Reply to: