Debian LTS: DLA-2234-1: netqmail security update

    Date 04 Jun 2020
    210
    Posted By LinuxSecurity Advisories
    There were several CVE bugs reported against src:netqmail. CVE-2005-1513
    
    Package        : netqmail
    Version        : 1.06-6.2~deb8u1
    CVE ID         : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811
                     CVE-2020-3812
    Debian Bug     : 961060
    
    
    There were several CVE bugs reported against src:netqmail.
    
    CVE-2005-1513
    
        Integer overflow in the stralloc_readyplus function in qmail,
        when running on 64 bit platforms with a large amount of virtual
        memory, allows remote attackers to cause a denial of service
        and possibly execute arbitrary code via a large SMTP request.
    
    CVE-2005-1514
    
        commands.c in qmail, when running on 64 bit platforms with a
        large amount of virtual memory, allows remote attackers to
        cause a denial of service and possibly execute arbitrary code
        via a long SMTP command without a space character, which causes
        an array to be referenced with a negative index.
    
    CVE-2005-1515
    
        Integer signedness error in the qmail_put and substdio_put
        functions in qmail, when running on 64 bit platforms with a
        large amount of virtual memory, allows remote attackers to
        cause a denial of service and possibly execute arbitrary code
        via a large number of SMTP RCPT TO commands.
    
    CVE-2020-3811
    
        qmail-verify as used in netqmail 1.06 is prone to a
        mail-address verification bypass vulnerability.
    
    CVE-2020-3812
    
        qmail-verify as used in netqmail 1.06 is prone to an
        information disclosure vulnerability. A local attacker can
        test for the existence of files and directories anywhere in
        the filesystem because qmail-verify runs as root and tests
        for the existence of files in the attacker's home directory,
        without dropping its privileges first.
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.06-6.2~deb8u1.
    
    We recommend that you upgrade your netqmail packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    
    
    Best,
    Utkarsh
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"7","type":"x","order":"1","pct":18.42,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"4","type":"x","order":"2","pct":10.53,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"27","type":"x","order":"3","pct":71.05,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.