Debian Security Advisory

DLA-2234-1 netqmail -- LTS security update

Date Reported:

05 Jun 2020

Affected Packages:

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 961060.
In Mitre's CVE dictionary: CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811, CVE-2020-3812.

More information:

There were several CVE bugs reported against src:netqmail.

CVE-2005-1513
Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.
CVE-2005-1514
commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without a space character, which causes an array to be referenced with a negative index.
CVE-2005-1515
Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands.
CVE-2020-3811
qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.
CVE-2020-3812
qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.

For Debian 8 Jessie, these problems have been fixed in version 1.06-6.2~deb8u1.

We recommend that you upgrade your netqmail packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS