Debian Security Advisory

DLA-869-1 cgiemail -- LTS security update

Date Reported:
24 Mar 2017
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 852031.
In Mitre's CVE dictionary: CVE-2017-5613, CVE-2017-5614, CVE-2017-5615, CVE-2017-5616.
More information:

The cPanel Security Team discovered several security vulnerabilities in cgiemail, a CGI program used to create HTML forms for sending mails:

  • CVE-2017-5613

    A format string injection vulnerability allowed to supply arbitrary format strings to cgiemail and cgiecho. A local attacker with permissions to provide a cgiemail template could use this vulnerability to execute code as webserver user. Format strings in cgiemail tempaltes are now restricted to simple %s, %U and %H sequences.

  • CVE-2017-5614

    An open redirect vulnerability in cgiemail and cgiecho binaries could be exploited by a local attacker to force redirect to an arbitrary URL. These redirects are now limited to the domain that handled the request.

  • CVE-2017-5615

    A vulnerability in cgiemail and cgiecho binaries allowed injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.

  • CVE-2017-5616

    Missing escaping of the addendum parameter lead to a reflected cross-site (XSS) vulnerability in cgiemail and cgiecho binaries. The output is now html escaped.

For Debian 7 Wheezy, these problems have been fixed in version 1.6-37+deb7u1.

We recommend that you upgrade your cgiemail packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: