Executive Summary
Summary | |
---|---|
Title | New dspam packages fix information disclosure |
Informations | |||
---|---|---|---|
Name | DSA-1501 | First vendor Publication | 2008-02-21 |
Vendor | Debian | Last vendor Modification | 2008-02-21 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.1 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. For the stable distribution (etch), this problem has been fixed in version 3.6.8-5etch1. Packages for the mipsel architecture will be added as soon as they become available. The old stable distribution (sarge) does not contain the dspam package. For the unstable distribution (sid), this problem has been fixed in version 3.6.8-5.1. We recommend that you upgrade your dspam package. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1501 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18585 | |||
Oval ID: | oval:org.mitre.oval:def:18585 | ||
Title: | DSA-1501-1 dspam - information disclosure | ||
Description: | Tobias Grützmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line. This allowed a local attacker to read the contents of the dspam database, such as emails. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1501-1 CVE-2007-6418 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | dspam |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2008-02-28 | Name : Debian Security Advisory DSA 1501-1 (dspam) File : nvt/deb_1501_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
44138 | Debian GNU/Linux libdspam7-drv-mysql Cron MySQL dspam Database Password Local... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-02-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1501.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:22 |
|