copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0167 - [Win][UNIX/Linux][Debian] claws-mail: Execute arbitrary code/commands - Remote with user interaction

Date: 25 January 2016

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0167
                        claws-mail security update
                              25 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           claws-mail
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-8614  

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3452

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running claws-mail check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3452-1                   security@debian.org
https://www.debian.org/security/                            Ben Hutchings
January 23, 2016                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : claws-mail
CVE ID         : CVE-2015-8614

"DrWhax" of the Tails project reported that Claws Mail is missing
range checks in some text conversion functions.  A remote attacker
could exploit this to run arbitrary code under the account of a user
that receives a message from them using Claws Mail.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.8.1-2+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 3.11.1-3+deb8u1.

We recommend that you upgrade your claws-mail packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWoxmeAAoJEAVMuPMTQ89EUJwP/jLpgiW3wqnjAjPJ53Ok72e9
UWtCI53YUbWLtaTv8sHQGvRw46ZIHYqsINxOQPJW/NOzE3FofapM/YQtxcJn+7GD
mZq+uyWxsfEKMG6X6wOji8yKtEumq5FuPfZ3B3iapzTqBKI93yAaR29/XK8wA+U3
OYW9MrPz0Ay++jU7G/CxnE57UhgIb8oKgEebaoxC7CLfxkhAltqOsnYH4trSMXQg
SUHMug4gIqTb2CiYPrsZzudtawhNTlFEcVbNw8OuMVwXuXuwEYq0LjZGb99638zp
B97JPkWdEYzHYDPnR4AQDPk7BUPK6gFE+WuRHm+3FlAyLWcQM6rrr4CiFtVlLY7p
4xyyPGO/VIZWDoEVra5WtLMehLpLMD+ON/27T36X8i7sBsKhg5cR5WJ3AFhADjwd
iMB2RZLdAs48F+IMQKCWr1zG8sf/7xYw5pT+Ue1nBAJUzuL3W9dCO/PVG4oVXq83
O9OtE5d2DMIv3KEqmkulQLYbl6WtWn7U2b1eVDtGJwAI3IS1BfyKMgMa+iD9aE20
e1HGX9AbWMoA4t+1himO7EEeY6gbl5wAs6RyT0vYfYv1ZFTFFIMZekagvpjC3TAQ
2P4aESIDUKOXwmzjqVote/h9qOe+j0BFRtP+ytlL7WabFO/hWLmLdH6MVBGMXEGD
HcCkW+hBThxfu+PWo0uu
=/Stx
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVqVvfH6ZAP0PgtI9AQIq5A//ZFCteC6dfu0zCPJdaBKWTWwJlCXylSY/
NSKHs8B8EkB5kcggXeJCRWC2xQXCdFFKxi5OqFaVgD07z8DtOxAXasZaA3Ug4V7V
5b/Vn0QSBwNNPzoLyMeU73V0hGauUzzT5p+ZvrhvA+Umw9+4vlBpWPMB1z3SHbJf
LDs+apIFQYhebfv98AdUOIqYYv7Og1IVXIdjcxLZe1NrHhHsXzCkhtfEagHSdRiF
IrtNpS9eHObsZVqgZJx6KSfl4IsqmGggu9RHBg0dZpflOcG8lEjKJZoRwCuHvMDg
UkrvJ2h15P792rV6DBX08aF8+7TI2m36tUtAG9mq4mbx0kIuHiIn91xKz1MSj3S+
i01hknaNtNHy4OvxfKDG9vO/zmyehb3WL3bkJuBHUGxKy2C9N34DbBzg72654dtF
e05Vh99EymFWo2dPGiihJVP7GM+dpUatkcAkcpHpug0oZvi3ROowvn+gSXkf7ePw
gRb4d6pkmTpGFtQrNk0avmbT/GGPaeTqz9s0zM+a95l2wOVkRF5B10VXSClHmaOA
+LnijKkCDqvPe/J4A8DjiGseWWalQT9sg8ifofQe7uIeXuVASY7kZ4GIld/3U8bU
rxqyztRBf97XCr4I3MYv8eynO5AJYBOpa7eOno0TtZAjJyrrwYlsPNAmpZWy8btX
h1ml9ef6ry4=
=dNnH
-----END PGP SIGNATURE-----