Commit f029edbc authored by Martin Schulze's avatar Martin Schulze

[DSA 728-1] New qpopper packages fix arbitrary file overwriting

CVS version numbers

english/security/2005/dsa-728.data: INITIAL -> 1.1 
english/security/2005/dsa-728.wml: INITIAL -> 1.1
parent ea358df0
<define-tag pagetitle>DSA-728-1 qpopper</define-tag>
<define-tag report_date>2005-5-25</define-tag>
<define-tag secrefs>CAN-2005-1151 CAN-2005-1152</define-tag>
<define-tag packages>qpopper</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
#use wml::debian::security
<h3>Debian GNU/Linux 3.0 (woody)</h3>
<dl>
<dt><source />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4.dsc />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4.diff.gz />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4.orig.tar.gz />
<dt>Alpha:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_alpha.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_alpha.deb />
<dt>ARM:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_arm.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_arm.deb />
<dt>Intel IA-32:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_i386.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_i386.deb />
<dt>Intel IA-64:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_ia64.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_ia64.deb />
<dt>HPPA:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_hppa.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_hppa.deb />
<dt>Motorola 680x0:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_m68k.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_m68k.deb />
<dt>Big endian MIPS:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_mips.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_mips.deb />
<dt>Little endian MIPS:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_mipsel.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_mipsel.deb />
<dt>PowerPC:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_powerpc.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_powerpc.deb />
<dt>IBM S/390:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_s390.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_s390.deb />
<dt>Sun Sparc:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.4-2.woody.4_sparc.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.4-2.woody.4_sparc.deb />
</dl>
<h3>Debian GNU/Linux 3.1 (sarge)</h3>
<dl>
<dt><source />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.dsc />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1.diff.gz />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5.orig.tar.gz />
<dt>Alpha:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_alpha.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_alpha.deb />
<dt>ARM:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_arm.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_arm.deb />
<dt>Intel IA-32:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_i386.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_i386.deb />
<dt>Intel IA-64:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_ia64.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_ia64.deb />
<dt>HPPA:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_hppa.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_hppa.deb />
<dt>Motorola 680x0:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_m68k.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_m68k.deb />
<dt>Big endian MIPS:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mips.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mips.deb />
<dt>Little endian MIPS:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_mipsel.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_mipsel.deb />
<dt>PowerPC:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_powerpc.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_powerpc.deb />
<dt>IBM S/390:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_s390.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_s390.deb />
<dt>Sun Sparc:
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper_4.0.5-4sarge1_sparc.deb />
<dd><fileurl http://security.debian.org/pool/updates/main/q/qpopper/qpopper-drac_4.0.5-4sarge1_sparc.deb />
</dl>
<p><md5sums http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00111.html /></p>
<define-tag description>missing privilege release</define-tag>
<define-tag moreinfo>
<p>Two bugs have been discovered in qpopper, an enhanced Post Office
Protocol (POP3) server. The Common Vulnerability and Exposures
project identifies the following problems:</p>
<ul>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1151">CAN-2005-1151</a>
<p>Jens Steube discovered that while processing local files owned or
provided by a normal user privileges weren't dropped, which could
lead to the overwriting or creation of arbitrary files as root.</p>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1152">CAN-2005-1152</a>
<p>The upstream developers noticed that qpopper could be tricked to
creating group- or world-writable files.</p>
</ul>
<p>For the stable distribution (woody) these problems have been fixed in
version 4.0.4-2.woody.5.</p>
<p>For the testing distribution (sarge) these problems have been fixed in
version 4.0.5-4sarge1.</p>
<p>For the unstable distribution (sid) these problems will be fixed in
version 4.0.5-4sarge1.</p>
<p>We recommend that you upgrade your qpopper package.</p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/security/2005/dsa-728.data"
# $Id$
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment