Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0211 -- Debian Security Advisory DSA 268-1 New mutt packages fix arbitrary code execution 26 March 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mutt Vendor: Debian Operating System: Debian GNU/Linux 3.0 Linux UNIX Impact: Execute Arbitrary Code/Commands Denial of Service Access Required: Remote CVE Names: CAN-2003-0140 Ref: ESB-2003.0200 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 268-1 security@debian.org http://www.debian.org/security/ Martin Schulze March 25th, 2003 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : mutt Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Bugtraq ID : 7120 CVE Id : CAN-2003-0140 Core Security Technologies discovered a buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This problem allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder. For the stable distribution (woody) this problem has been fixed in version 1.3.28-2.1. The old stable distribution (potato) is not affected by this problem. For the unstable distribution (sid) this problem has been fixed in version 1.5.4-1. We recommend that you upgrade your mutt package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1.dsc Size/MD5 checksum: 715 c3057724009f05673b3c75bae5d251a3 http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1.diff.gz Size/MD5 checksum: 50332 bb652f41e2606b8cadb2efcdf690ff49 http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28.orig.tar.gz Size/MD5 checksum: 2540330 015e4fce09e323997d64ad455524be19 Alpha architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_alpha.deb Size/MD5 checksum: 1406670 bfe02cc93b3b062dc870045d38200659 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_alpha.deb Size/MD5 checksum: 457324 1721fd54a25cf63ec902eb1556c096d2 ARM architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_arm.deb Size/MD5 checksum: 1324028 813b7f5a2afab876fbb5a67c23d537c2 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_arm.deb Size/MD5 checksum: 381706 c08ae68a55e0672d6e8be8aaf0670c16 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_i386.deb Size/MD5 checksum: 1301398 f20f7221425af30530cc4c32fa93c5d9 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_i386.deb Size/MD5 checksum: 360742 c37eb100e007a5afa6fbcc6174f01266 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_ia64.deb Size/MD5 checksum: 1517926 fe637601654c1febf069346fdec86b9d http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_ia64.deb Size/MD5 checksum: 559014 06ddd5496426d2485d626be919d757cd HP Precision architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_hppa.deb Size/MD5 checksum: 1373344 52a212f168a3e0c10b4125f5452fce83 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_hppa.deb Size/MD5 checksum: 427294 4b71238edb2937177ab340715c1e2870 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_m68k.deb Size/MD5 checksum: 1279036 250a83073d2e6c60b765b3eb129eda7a http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_m68k.deb Size/MD5 checksum: 338394 9a4d00486eee58cb71f9aafd4f1614e2 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_mips.deb Size/MD5 checksum: 1350300 fe602f4e3f41413eebcafc26361ab0ad http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_mips.deb Size/MD5 checksum: 406784 f16f6e804bbafe0aa1b00d0f6600f25c Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_mipsel.deb Size/MD5 checksum: 1348352 2f4c24dda0156a6f012796fa278929f0 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_mipsel.deb Size/MD5 checksum: 405042 569a82fe40e936f6786a9cdca87fa981 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_powerpc.deb Size/MD5 checksum: 1332422 621a5ccda35cc1c99e6d547674bc22e3 http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_powerpc.deb Size/MD5 checksum: 390638 d838d8eb58b090ead913a723a4c4a90d IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_s390.deb Size/MD5 checksum: 1326880 a10e97f3442362f7e12594f5822cfa0e http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_s390.deb Size/MD5 checksum: 381996 6f30ee410a641c6b65942a52786013d9 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.3.28-2.1_sparc.deb Size/MD5 checksum: 1324220 a1310eb747b9565918952ac6fcc0d1fd http://security.debian.org/pool/updates/main/m/mutt/mutt-utf8_1.3.28-2.1_sparc.deb Size/MD5 checksum: 376912 b493c279d05503c84a281a003f74a77d These files will probably be moved into the stable distribution on its next revision. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gG/xW5ql+IAeqTIRAvgiAJ9/b5Tm/2tPybfkJr5Ktid4ZZ8zDgCfco76 SWREyIAY7PsT56Xz05R/F7s= =pIbs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPoF2tih9+71yA2DNAQHG3QP+PayLGgYNN+Cy6sJgbiUyxDyWUrGjo5y1 5DpT+nWVgHwBN6II0WeW2H8xXa4LWGYffrW5SnekNAAsy2bE+hpf20SCp0PBGzuq g/2rCA9S2gSJODM819tPXxFI6TxzuuOJ1NLR5d7n/iZGxXGknBmpJUSRIP2/g4mn OZpz7UdkO3A= =+Lys -----END PGP SIGNATURE-----