Package : qpopper Vulnerability : missing privilege release Problem-Type : local Debian-specific: no CVE IDs : CAN-2005-1151 CAN-2005-1152
Two bugs have been discovered in qpopper, an enhanced Post Office Protocol (POP3) server. The Common Vulnerability and Exposures project identifies the following problems:
CAN-2005-1151
Jens Steube discovered that while processing local files owned or provided by a normal user privileges weren't dropped, which could lead to the overwriting or creation of arbitrary files as root.
CAN-2005-1152
The upstream developers noticed that qpopper could be tricked to creating group- or world-writable files.
For the stable distribution (woody) these problems have been fixed in version 4.0.4-2.woody.5.
For the testing distribution (sarge) these problems have been fixed in version 4.0.5-4sarge1.
For the unstable distribution (sid) these problems will be fixed in version 4.0.5-4sarge1.
We recommend that you upgrade your qpopper package.
Upgrade Instructions --------------------
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody --------------------------------