Säkerhetsbulletin från Debian

DSA-728-2 qpopper -- släpper inte privilegier

Rapporterat den:

2005-05-26

Berörda paket:

qpopper

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2005-1151, CVE-2005-1152.

Ytterligare information:

Två fel har upptäckts i qpopper, en utökad server för Post Office Protocol (POP3). Projektet Common Vulnerabilities and Exposures identifierar följande problem:

CAN-2005-1151
Jens Steube upptäckte att privilegier inte släpptes vid hantering av lokala filer som ägs eller tillhandahålls av en vanlig användare, vilket kunde leda till att godtyckliga filer skrevs över eller skapades som root.
CAN-2005-1152
Uppströmsutvecklarna upptäckte att qpopper kunde luras till att skapa filer läsbara av gruppen eller alla.

För den stabila utgåvan (Woody) har dessa problem rättats i version 4.0.4-2.woody.5.

För uttestningsutgåvan (Sarge) har dessa problem rättats i version 4.0.5-4sarge1.

För den instabila utgåvan (Sid) kommer dessa problem att rättas i version 4.0.5-4sarge1.

Vi rekommenderar att ni uppgraderar ert qpopper-paket.

Rättat i:

Debian GNU/Linux 3.0 (woody)

Källkod:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.dsc; http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.diff.gz; http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_alpha.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_arm.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_i386.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_ia64.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_hppa.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_m68k.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_mips.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_mipsel.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_powerpc.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_s390.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_sparc.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_sparc.deb

Debian GNU/Linux 3.1 (sarge)

Källkod:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.dsc; http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.diff.gz; http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_alpha.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_arm.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_i386.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_ia64.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_hppa.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_m68k.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mips.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mipsel.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_powerpc.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_s390.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_sparc.deb; http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.

MD5-kontrollsummor för dessa filer finns i reviderade bulletinen.