Vulnerability Bulletins |
Múltiples vulnerabilidades en iw-imap |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Obtener acceso |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software | uw-imap |
Description |
|
|
Se han descubierto múltiples vulnerabilidades en uw-imap. Las vulnerabilidades son descritas a continuación: - CVE-2008-5005: Se han descubierto múltiples vulnerabilidades de tipo desbordamiento de búfer. Las vulnerabilidades residen en errores en las utilidades University de Washington IMAP, University de Washington Alpine y Panda IMAP. Un atacante local podría aumentar privilegios mediante la especificación de un argumento de extensión de carpeta largo en la línea de comandos del programa tmail o dmail mientras que un atacante remoto podría ejecutar código remoto mediante el envío de correos al nombre del buzón de destino compuesto de un nombre de usuario y el carácter "+" seguido de una cadena larga, procesado por tmail o posiblemente el programa dmail. - CVE-2008-5006: La vulnerabilidad reside en un error en "smtp.c" de la biblioteca "c-client" de University of Washington IMAP Toolkit 2007b. Un atacante remoto podría causar una denegación de servicio mediante una respuesta al comando "QUIT" con un cierre de la conexión TCP en lugar de con el código de respuesta 221 esperado. |
|
Solution |
|
|
Actualización de software Debian (DSA-1685-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1.orig.tar.gz http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1-13.1+etch1.dsc http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1-13.1+etch1.diff.gz Arquitectura independiente: http://security.debian.org/pool/updates/main/u/uw-imap/ipopd-ssl_2002edebian1-13.1+etch1_all.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd-ssl_2002edebian1-13.1+etch1_all.deb alpha (DEC Alpha) http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_alpha.deb amd64 (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_amd64.deb arm (ARM) http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_arm.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_arm.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_arm.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_arm.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_arm.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_arm.deb hppa (HP PA RISC) http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_hppa.deb i386 (Intel ia32) http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_i386.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_i386.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_i386.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_i386.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_i386.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_i386.deb ia64 (Intel ia64) http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_ia64.deb mips (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_mips.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_mips.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_mips.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_mips.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_mips.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_mips.deb mipsel (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_mipsel.deb powerpc (PowerPC) http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_powerpc.deb s390 (IBM S/390) http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_s390.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_s390.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_s390.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_s390.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_s390.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_s390.deb sparc (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_sparc.deb Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux. Red Hat (RHSA-2009:0275-5) Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) https://rhn.redhat.com/ |
|
Standar resources |
|
| Property | Value |
| CVE |
CVE-2008-5005 CVE-2008-5006 |
| BID | |
Other resources |
|
|
Debian Security Advisory (DSA-1685-1) http://lists.debian.org/debian-security-announce/2008/msg00277.html SUSE Security Advisory (SUSE-SR:2009:001) http://www.novell.com/linux/security/advisories/2009_1_sr.html Red Hat Security Advisory (RHSA-2009:0275-5) https://rhn.redhat.com/errata/RHSA-2009-0275.html |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2008-12-12 |
| 1.1 | Aviso emitido por Suse (SUSE-SR:2009:001) | 2009-01-14 |
| 1.2 | Aviso emitido por Red Hat (RHSA-2009:0275-5) | 2009-02-20 |