Courier sqwebmail mail transport agent (MTA) fails to properly enforce permissions
| courier-mta-insecure-permissions (10643) |  Medium Risk |
Description:
Courier could allow a local attacker to obtain sensitive information. Courier fails to properly enforce permissions, which could allow a local attacker to read arbitrary files on the system.
Consequences:
Obtain Information
Remedy:
For Debian GNU/Linux:
Upgrade to the latest sqwebmail package, as listed below. Refer to DSA-197-1 for more information. See References.
Debian GNU/Linux 3.0 (woody): 0.37.3-2.3 or later
For Gentoo Linux:
Upgrade versions net-mail/courier-0.40.0.20021026 and earlier, as listed in Gentoo Linux Security Announcement 2002-11-19. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- Courier Web site: Courier Mail Server.
- Gentoo Linux Security Announcement 200211-005: courier -- buffer overflow.
- BID-6189: Courier SqWebMail File Disclosure Vulnerability
- CVE-2002-1311: Courier sqwebmail before 0.40.0 does not quickly drop privileges after startup in certain cases, which could allow local users to read arbitrary files.
- DSA-197: courier -- buffer overflow
Platforms Affected:
- Debian Debian Linux 3.0
- Double Precision Courier
- Gentoo Linux
Reported:
Nov 15, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net