diff options
| author | Utkarsh Gupta <utkarsh@debian.org> | 2020-06-05 09:35:12 +0530 |
|---|---|---|
| committer | Utkarsh Gupta <utkarsh@debian.org> | 2020-06-05 09:35:12 +0530 |
| commit | f06501c0d28e56630b8ef9e96e180d00ebd26066 (patch) | |
| tree | c4d0a1995ed88b148810d978eae2f3dc5225b0ae | |
| parent | 1deb3d9214d0c6d5824cc255d19fad70be02c587 (diff) | |
DLA-2234-1 advisory
| -rw-r--r-- | english/lts/security/2020/dla-2234.data | 10 | ||||
| -rw-r--r-- | english/lts/security/2020/dla-2234.wml | 59 |
2 files changed, 69 insertions, 0 deletions
diff --git a/english/lts/security/2020/dla-2234.data b/english/lts/security/2020/dla-2234.data new file mode 100644 index 00000000000..62eaefac3c1 --- /dev/null +++ b/english/lts/security/2020/dla-2234.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-2234-1 netqmail</define-tag> +<define-tag report_date>2020-06-05</define-tag> +<define-tag secrefs>CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811 CVE-2020-3812 Bug#961060</define-tag> +<define-tag packages>netqmail</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2020/dla-2234.wml b/english/lts/security/2020/dla-2234.wml new file mode 100644 index 00000000000..32e896254bb --- /dev/null +++ b/english/lts/security/2020/dla-2234.wml @@ -0,0 +1,59 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> + +<p>There were several CVE bugs reported against src:netqmail.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2005-1513">CVE-2005-1513</a> + + <p>Integer overflow in the stralloc_readyplus function in qmail, + when running on 64 bit platforms with a large amount of virtual + memory, allows remote attackers to cause a denial of service + and possibly execute arbitrary code via a large SMTP request.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2005-1514">CVE-2005-1514</a> + + <p>commands.c in qmail, when running on 64 bit platforms with a + large amount of virtual memory, allows remote attackers to + cause a denial of service and possibly execute arbitrary code + via a long SMTP command without a space character, which causes + an array to be referenced with a negative index.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2005-1515">CVE-2005-1515</a> + + <p>Integer signedness error in the qmail_put and substdio_put + functions in qmail, when running on 64 bit platforms with a + large amount of virtual memory, allows remote attackers to + cause a denial of service and possibly execute arbitrary code + via a large number of SMTP RCPT TO commands.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-3811">CVE-2020-3811</a> + + <p>qmail-verify as used in netqmail 1.06 is prone to a + mail-address verification bypass vulnerability.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-3812">CVE-2020-3812</a> + + <p>qmail-verify as used in netqmail 1.06 is prone to an + information disclosure vulnerability. A local attacker can + test for the existence of files and directories anywhere in + the filesystem because qmail-verify runs as root and tests + for the existence of files in the attacker's home directory, + without dropping its privileges first.</p></li> + +</ul> + +<p>For Debian 8 <q>Jessie</q>, these problems have been fixed in version +1.06-6.2~deb8u1.</p> + +<p>We recommend that you upgrade your netqmail packages.</p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2020/dla-2234.data" +# $Id: $ |