Debian Security Advisory

DSA-553-1 getmail -- symlink vulnerability

Date Reported:
27 Sep 2004
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 272561.
In Mitre's CVE dictionary: CVE-2004-0880, CVE-2004-0881.
More information:

A security problem has been discovered in getmail, a POP3 and APOP mail gatherer and forwarder. An attacker with a shell account on the victims host could utilise getmail to overwrite arbitrary files when it is running as root.

For the stable distribution (woody) this problem has been fixed in version 2.3.7-2.

For the unstable distribution (sid) this problem has been fixed in version 3.2.5-1.

We recommend that you upgrade your getmail package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.