Debian Security Advisory
imp -- remote compromise
- Date Reported:
- 10 Sep 2000
- Affected Packages:
- imp, horde
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0910.
- More information:
- imp as distributed in Debian GNU/Linux 2.2 suffered from
insufficient checking of user supplied data: the IMP webmail interface did not
check the $from variable which contains the sender address for shell
metacharacters. This could be used to run arbitrary commands on the server
running imp.
To fix this, horde (the library imp uses) has been modified to sanitize $from, and imp has been patched to improve checking of user input. The updated versions are horde 1.2.1-0 and imp 2.2.1-0, and we strongly recommend you upgrade both packages immediately.
- Fixed in:
-
Debian 2.2 (potato)
- Source:
-
http://security.debian.org/dists/stable/updates/main/source/horde_1.2.1-0.dsc
-
http://security.debian.org/dists/stable/updates/main/source/horde_1.2.1-0.tar.gz
-
http://security.debian.org/dists/stable/updates/main/source/imp_2.2.1-0.dsc
-
http://security.debian.org/dists/stable/updates/main/source/imp_2.2.1-0.tar.gz
- Architecture-independent component:
-
http://security.debian.org/dists/stable/updates/main/binary-all/horde_1.2.1-0_all.deb
-
http://security.debian.org/dists/stable/updates/main/binary-all/imp_2.2.1-0_all.deb