[SECURITY] [DLA 2234-1] netqmail security update

2020-06-04T16:24:17
ID DEBIAN:DLA-2234-1:7C781
Type debian
Reporter Debian
Modified 2020-06-04T16:24:17

Description

Package : netqmail Version : 1.06-6.2~deb8u1 CVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811 CVE-2020-3812 Debian Bug : 961060

There were several CVE bugs reported against src:netqmail.

CVE-2005-1513

Integer overflow in the stralloc_readyplus function in qmail,
when running on 64 bit platforms with a large amount of virtual
memory, allows remote attackers to cause a denial of service
and possibly execute arbitrary code via a large SMTP request.

CVE-2005-1514

commands.c in qmail, when running on 64 bit platforms with a
large amount of virtual memory, allows remote attackers to
cause a denial of service and possibly execute arbitrary code
via a long SMTP command without a space character, which causes
an array to be referenced with a negative index.

CVE-2005-1515

Integer signedness error in the qmail_put and substdio_put
functions in qmail, when running on 64 bit platforms with a
large amount of virtual memory, allows remote attackers to
cause a denial of service and possibly execute arbitrary code
via a large number of SMTP RCPT TO commands.

CVE-2020-3811

qmail-verify as used in netqmail 1.06 is prone to a
mail-address verification bypass vulnerability.

CVE-2020-3812

qmail-verify as used in netqmail 1.06 is prone to an
information disclosure vulnerability. A local attacker can
test for the existence of files and directories anywhere in
the filesystem because qmail-verify runs as root and tests
for the existence of files in the attacker's home directory,
without dropping its privileges first.

For Debian 8 "Jessie", these problems have been fixed in version 1.06-6.2~deb8u1.

We recommend that you upgrade your netqmail packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Best, Utkarsh