Debian Security Advisory

imp -- remote compromise

Date Reported:
10 Sep 2000
Affected Packages:
imp, horde
Security database references:
In Mitre's CVE dictionary: CVE-2000-0910.
More information:
imp as distributed in Debian GNU/Linux 2.2 suffered from insufficient checking of user supplied data: the IMP webmail interface did not check the $from variable which contains the sender address for shell metacharacters. This could be used to run arbitrary commands on the server running imp.

To fix this, horde (the library imp uses) has been modified to sanitize $from, and imp has been patched to improve checking of user input. The updated versions are horde 1.2.1-0 and imp 2.2.1-0, and we strongly recommend you upgrade both packages immediately.

Fixed in:

Debian 2.2 (potato)

Architecture-independent component: