Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Summary | |
|---|---|
| Title | netqmail security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-4692 | First vendor Publication | 2020-05-24 |
| Vendor | Debian | Last vendor Modification | 2020-05-24 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
|---|---|---|---|
| Overall CVSS Score | 9.8 | ||
| Base Score | 9.8 | Environmental Score | 9.8 |
| impact SubScore | 5.9 | Temporal Score | 9.8 |
| Exploitabality Sub Score | 3.9 | ||
| Attack Vector | Network | Attack Complexity | Low |
| Privileges Required | None | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | High | Availability Impact | High |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Georgi Guninski and the Qualys Research Labs discovered multiple vulnerabilities in qmail (shipped in Debian as netqmail with additional patches) which could result in the execution of arbitrary code, bypass of mail address verification and a local information leak whether a file exists or not. For the oldstable distribution (stretch), these problems have been fixed in version 1.06-6.2~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1.06-6.2~deb10u1. We recommend that you upgrade your netqmail packages. For the detailed security status of netqmail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netqmail |
Original Source
| Url : http://www.debian.org/security/2020/dsa-4692 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 33 % | CWE-665 | Improper Initialization |
| 33 % | CWE-269 | Improper Privilege Management |
| 33 % | CWE-190 | Integer Overflow or Wraparound (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 1 | |
| Application | 1 | |
| Os | 1 | |
| Os | 3 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 16345 | qmail substdio_put Function Signedness Issue A remote overflow exists in qmail when running on 64 bit platforms with 4GB of virtual memory or more. The 'substdio_put()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the qmail process to crash resulting in a loss of availability. |
| 16344 | qmail commands.c Signed Index Issue A remote overflow exists in qmail when running on 64 bit platforms with 8GB of virtual memory or more. The 'commands()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the process to crash resulting in a loss of availability. |
| 16343 | qmail stralloc_readyplus Function Remote Overflow A remote overflow exists in qmail when running on 64 bit platforms with 8 GB virtual memory or more. The 'stralloc_readyplus()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause the SMTP service to crash resulting in a loss of availability. |
Alert History
| Date | Informations |
|---|---|
| 2024-11-12 20:55:53 |
|
