Debian: courier arbitrary command execution vulnerability

    Date30 Jan 2003
    CategoryDebian
    2757
    Posted ByLinuxSecurity Advisories
    The developers of courier, an integrated user side mail server,discovered a problem in the PostgreSQL auth module.
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 247-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Martin Schulze
    January 30th, 2003                       http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : courier
    Vulnerability  : missing input sanitizing
    Problem-Type   : remote
    Debian-specific: no
    CVE Id         : CAN-2003-0040
    
    The developers of courier, an integrated user side mail server,
    discovered a problem in the PostgreSQL auth module.  Not all
    potentially malicious characters were sanitized before the username
    was passed to the PostgreSQL engine.  An attacker could inject
    arbitrary SQL commands and queries exploiting this vulnerability.  The
    MySQL auth module is not affected.
    
    For the stable distribution (woody) this problem has been fixed in
    version 0.37.3-3.3.
    
    The old stable distribution (potato) does not contain courier packages.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 0.40.2-3.
    
    We recommend that you upgrade your courier-authpostgresql package.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3.dsc
          Size/MD5 checksum:      846 06c98336ee0e40813eac24cb59574de8
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3.diff.gz
          Size/MD5 checksum:    12649 bac28bb29418f9d965aedeb819876ebc
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3.orig.tar.gz
          Size/MD5 checksum:  3238268 f5f742679ac97906fc306763e08e1ed8
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_alpha.deb
          Size/MD5 checksum:    43286 d73b6054896137f6593a4b438da54fdc
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_alpha.deb
          Size/MD5 checksum:     9970 f8141363587679a4badc7c1c7e714751
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_alpha.deb
          Size/MD5 checksum:     7700 6b774c8584957bee71f0cf4f66aac69a
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_alpha.deb
          Size/MD5 checksum:     9748 d75800272a41656b4324131a8de3a47c
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_alpha.deb
          Size/MD5 checksum:    93626 7cb6a750dfcd12d70cc792d6c0c25e44
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_arm.deb
          Size/MD5 checksum:    31688 76f041c97200593230de7d75b74a27fa
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_arm.deb
          Size/MD5 checksum:     9982 0391cd8403375b732364729533195baa
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_arm.deb
          Size/MD5 checksum:     7710 39351976e1843f6c376864d578c88f8a
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_arm.deb
          Size/MD5 checksum:     9762 c012baa4e698f48e6e74562f6f626d83
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_arm.deb
          Size/MD5 checksum:    85796 b9ef96842ea07aa90f55e5ed9a22fcc6
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_i386.deb
          Size/MD5 checksum:    31702 06f4eb45fef2f3bdc3240489e54ddb94
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_i386.deb
          Size/MD5 checksum:     9986 584fe5ff49d360476ebf7ae799f55d78
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_i386.deb
          Size/MD5 checksum:     7702 3deb08407cafe11d7f6560992aab1548
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_i386.deb
          Size/MD5 checksum:     9754 8281e82d5e9a586d9f7c65e56cdb9d5e
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_i386.deb
          Size/MD5 checksum:    85934 88583de865d2a8a71642c573a581b37c
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_ia64.deb
          Size/MD5 checksum:    52488 9f27903c254017232f683d241291554a
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_ia64.deb
          Size/MD5 checksum:     9966 c7892d31d784570e0b850f830de54b7a
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_ia64.deb
          Size/MD5 checksum:     7702 432d440f8eed3064669685ba2137e675
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_ia64.deb
          Size/MD5 checksum:     9744 16db3ffd78cf03be43f42d3dbad42abd
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_ia64.deb
          Size/MD5 checksum:    99776 b4ad9bfa2138c815e6ef0bdce451ad1f
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_hppa.deb
          Size/MD5 checksum:    38698 6354e42a8825547180e1d72ce88d4411
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_hppa.deb
          Size/MD5 checksum:     9988 a3840b6d07ecbbb331013b2974793f9b
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_hppa.deb
          Size/MD5 checksum:     7718 2814bb4c2ba66acfd115592696e11c20
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_hppa.deb
          Size/MD5 checksum:     9760 fd04955f15e8bcbe9beedaafd63451d4
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_hppa.deb
          Size/MD5 checksum:    89728 5790238a67c16dddad04cc4dedc59402
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_m68k.deb
          Size/MD5 checksum:    30386 d9371b8ca860a6c8cc528398d443dc24
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_m68k.deb
          Size/MD5 checksum:     9996 3f02bfe83fd648b29334f5ba13ef935a
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_m68k.deb
          Size/MD5 checksum:     7726 43da03e0fb11e24d1a7942594caa2755
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_m68k.deb
          Size/MD5 checksum:     9782 258b1435fb6e52dd6dc9aacbe316a37e
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_m68k.deb
          Size/MD5 checksum:    84936 7d4b51710a752d7f6a53e75b90485441
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_mips.deb
          Size/MD5 checksum:    37616 d1d9383cbba7b1051729d82a27923808
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_mips.deb
          Size/MD5 checksum:     9988 acd934a8f93dac2ea887fd86394e24d8
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_mips.deb
          Size/MD5 checksum:     7708 0297eb5910e632c7c06541aaca5773a3
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_mips.deb
          Size/MD5 checksum:     9760 56a6a6b1c5ba18de262805bbb286a4ae
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_mips.deb
          Size/MD5 checksum:    89832 c5195e55151d73bb957aa1a438a44580
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_mipsel.deb
          Size/MD5 checksum:    37664 ca340f34aa9ca4f4d4dca605c07a65ce
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_mipsel.deb
          Size/MD5 checksum:     9994 262df132d4996cac3011e6721da75864
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_mipsel.deb
          Size/MD5 checksum:     7718 185ff2b06601d9be54ff24ff9970b7c8
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_mipsel.deb
          Size/MD5 checksum:     9768 cf246ff96396e47d46bbb93051aa2352
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_mipsel.deb
          Size/MD5 checksum:    89710 dd9288abb1040c1e7abfcd60d77853e3
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_powerpc.deb
          Size/MD5 checksum:    34250 18d79adacdd40dc28c0a98b935123a44
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_powerpc.deb
          Size/MD5 checksum:     9984 7fabecb34944b6c91c3d715828ff1c29
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_powerpc.deb
          Size/MD5 checksum:     7702 7879e85df4b5784d88e4d399151376ce
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_powerpc.deb
          Size/MD5 checksum:     9762 8bc79b825932c9fc610eb0da1a0ae363
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_powerpc.deb
          Size/MD5 checksum:    87626 e35e6dfcae22dc627323bc1c0b9a708c
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_s390.deb
          Size/MD5 checksum:    32818 57a6010ead7b7198e3821d1ecc59b3f7
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_s390.deb
          Size/MD5 checksum:     9978 db8df580e4191d72f6816ec16e08e31b
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_s390.deb
          Size/MD5 checksum:     7704 5b27db7bc128e9321bbe3e5ba6e73bc7
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_s390.deb
          Size/MD5 checksum:     9756 a12f26e225fa2afe304177a0fc3628ec
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_s390.deb
          Size/MD5 checksum:    87528 59e1740f6ef624130ff3e27ed81b92d4
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_sparc.deb
          Size/MD5 checksum:    32670 f44e6c6b05e3b4eb5badaa0c02b982fb
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_sparc.deb
          Size/MD5 checksum:     9980 da61d5ef0adf05de8a8f336630c4b42b
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_sparc.deb
          Size/MD5 checksum:     7710 16c0477e0c3c5143e0b78824b16ca986
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_sparc.deb
          Size/MD5 checksum:     9758 1aff618c6a6547f6ad4a2f425d65ed48
         http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_sparc.deb
          Size/MD5 checksum:    89076 12602177603319651d1084cd86edbebf
    
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"5","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.