Summary
The remote host is missing an update to courier
announced via advisory DSA 197-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20197-1
Insight
A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem.
This problem has been fixed in version 0.37.3-2.3 for the current stable distribution (woody) and in version 0.40.0-1 for the unstable distribution (sid). The old stable distribution (potato) does not contain Courier sqwebmail packages.
We recommend that you upgrade your sqwebmail package immediately.
Severity
Classification
-
CVE CVE-2002-1311 -
CVSS Base Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities