Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian Security Advisory DSA 259-1 (qpopper)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update to qpopper announced via advisory DSA 259-1.
Insight
Insight
Florian Heinz <heinz@cronon-ag.de> posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user 'mail' group privileges and a shell on the system. Since the Qvsnprintf function is used elsewhere in qpopper, additional exploits may be possible. The qpopper package in Debian 2.2 (potato) does not include the vulnerable snprintf implementation. For Debian 3.0 (woody) an updated package is available in version 4.0.4-2.woody.3. Users running an unreleased version of Debian should upgrade to 4.0.4-9 or newer. We recommend you upgrade your qpopper package immediately.
Solution
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20259-1