Debian Security Advisory

DLA-1700-1 uw-imap -- LTS security update

Date Reported:
01 Mar 2019
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 914632.
In Mitre's CVE dictionary: CVE-2018-19518.
More information:

A vulnerability was discovered in uw-imap, the University of Washington IMAP Toolkit, that might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics.

This update disables access to IMAP mailboxes through running imapd over rsh, and therefore ssh for users of the client application. Code which uses the library can still enable it with tcp_parameters() after making sure that the IMAP server name is sanitized.

For Debian 8 Jessie, this problem has been fixed in version 8:2007f~dfsg-4+deb8u1.

We recommend that you upgrade your uw-imap packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: