Debians sikkerhedsbulletin
DSA-728-2 qpopper -- manglende frigivelse af rettigheder
- Rapporteret den:
- 26. maj 2005
- Berørte pakker:
- qpopper
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2005-1151, CVE-2005-1152.
- Yderligere oplysninger:
-
Dette bulletin dækker kun opdaterede pakker til Debian 3.0 alias "woody". Som reference følger herunder den oprindelige tekst fra bulletinen:
To fejl er opdaget i qpopper, en udvidet Post Office Protocol-server (POP3). Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:
- CAN-2005-1151
Jens Steube har opdaget, at under behandling af lokale filer ejet eller stillet til rådighed af en normal bruger, blev rettighederne ikke smidt væk, hvilket kunne føre til overskrivelse eller oprettelse af vilkårlige filer som root.
- CAN-2005-1152
Opstrømsudviklerne har opdaget at qpopper kunne snydes til at oprette group- eller world-skrivbare filer.
I den stabile distribution (woody) er disse problemer rettet i version 4.0.4-2.woody.5.
I distributionen testing (sarge) er disse problemer rettet i version 4.0.5-4sarge1.
I den ustabile distribution (sid) vil disse problemer blive rettet i version 4.0.5-4sarge1.
Vi anbefaler at du opgraderer din qpopper-pakke.
- CAN-2005-1151
- Rettet i:
-
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.dsc
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.diff.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.5_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.5_sparc.deb
Debian GNU/Linux 3.1 (sarge)
- Kildekode:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.dsc
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.diff.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5.orig.tar.gz
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_alpha.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_arm.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_i386.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_ia64.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_hppa.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_m68k.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mips.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mipsel.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_powerpc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_s390.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_sparc.deb
- http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.
MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.