Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1967 netqmail security update 5 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: netqmail Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Denial of Service -- Unknown/Unspecified Access Confidential Data -- Unknown/Unspecified Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-3812 CVE-2020-3811 CVE-2005-1515 CVE-2005-1514 CVE-2005-1513 Reference: ESB-2020.1841 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-2234-1 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : netqmail Version : 1.06-6.2~deb8u1 CVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811 CVE-2020-3812 Debian Bug : 961060 There were several CVE bugs reported against src:netqmail. CVE-2005-1513 Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request. CVE-2005-1514 commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without a space character, which causes an array to be referenced with a negative index. CVE-2005-1515 Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands. CVE-2020-3811 qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability. CVE-2020-3812 qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first. For Debian 8 "Jessie", these problems have been fixed in version 1.06-6.2~deb8u1. We recommend that you upgrade your netqmail packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl7ZIC0ACgkQgj6WdgbD S5adJRAAqABD/bss4FOrdns7jC9by/iOWaSL6W6ljy7NRBLmKvzLp+u4fBVeCW1g on6W0m/tkQhpRBxQPdtDpqfza7ENDGQH73cuBxEMNTbxSlNJMAQHpAZrnvADV3dP zb6lkRX6YbIjnXl2u5on1m+uej2t5QHidUsaAEtc7LyyKS8EX5YmKfwFQ/oKIfzB e0v6KONgYwImeyKblLwIDiHe3CM7pJ1v5e93rw6K/EoP/tyrQ4UfN319aq7QURyt 8JWxiPi1mVVE5psM7Pv5XRZ7Q1naccvWH3qO5qt4MF7i4izTXAL4w04apUx2IH1N dNFZwces0KgA2X5/rEDAGJjypZTetCbVziR5qPbMMD9U4VUKsXIOremMEJ3JdO+0 3fFY317LQMbtIWQ/kgTSUiGp24FNn1rkmLBXiQTv0yZ+pABYq0pggiPE4SDsvLoE mW42AXHMDg3TKGvdbsMogXcodY1RJwNhMEtX2P8rUb3P6aX8jV5YSLScn4nYHvB5 yoIio38XRwYPfDY4rDhm4/mEeRc+H04UFVbZNSsOYbeyfutLwKu7hSKTT2rrLozn x7O2QUPotnYguHOYmOxnkDb05Y5fZjqr/ZjRvFiE+GT4/VUEmODp4cQGHN7W8zPI Ipl/yN69DKswW39z+a9mYtRAxHE+qfb/opepNDwSFXiK9+rgkh4= =oWgt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXtmTFuNLKJtyKPYoAQjD7Q/+OuaCYBzb6tF+NX8Fs4EIgRRSIK6JDc8E VTNvwVZs4MKBIROn9t0AvxaNgajZkKxBgYaatr9x8/dZL3P2rXQg+rGqoj4Wu/xC 0EOa1DiEtEEBqkP1fMHuWhPyY05D3qTmw9ohQ5zJU54t14uiYzaMfJrIAH58fvlE tS3j3aNstwNbH+f/1lZLTVXU4zIOaNIk5VvIvZRCxjGi9lu3gLS5rKi+jMCSV8Cx D8ydAiMvOc2l8bxkIwap8rklY5BmTE+7MhJ4qoK33uBseu7Rjvm1qJ2soX+4mN01 wXyOFpZeHeqz0SFXMFwEvfOt8DEb+LL9SJXNO5/eRdL3eo+k/GKx7dQSfFeu1hcR sLJxd8KWivr4R7AKY4UIiCOQfqs5TEFAIM2b2JfsaJvgEoc5hwXRA8oiQVXvrN4S tV7DD2gK2C9O+MWdovEk3hgNMkUZvYIZDvABYKiyEnhSqvAkO5tjBdpRHVkmB9dE /Pj/9rWIWkpaqW3f7A/+N+91uT0VtEcyzdkFK8X1J09GnHUKBy5ZGKPHwE3TR94/ voOJS14jicJ5kXacG2Mi4rdTRJsJLhqnZvFHnEd4iXhKq6R0ZcnOo4hSxIpj4F8Z 8b+KQgY+R1uaUMDPlwCGsqqcEgifNdDqZz1eDkn/BhxSq2n/ZZjAPaYTF07u9lBD aF2GEBZ3Axc= =GC1c -----END PGP SIGNATURE-----