Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | |||
Test Kennung: | 1.3.6.1.4.1.25623.1.0.703104 |
Kategorie: | Debian Local Security Checks |
Titel: | Debian Security Advisory DSA 3104-1 (bsd-mailx - security update) |
Zusammenfassung: | It was discovered that bsd-mailx,;an implementation of the mail command, had an undocumented feature which treats;syntactically valid email addresses as shell commands to execute.;;Users who need this feature can re-enable it using the expandaddr in an;appropriate mailrc file. This update also removes the obsolete -T option. An;older security vulnerability, CVE-2004-2771, had already been addressed in the;Debian's bsd-mailx package.;;Note that this security update does not remove all mailx facilities for;command execution, though. Scripts which send mail to addresses obtained;from an untrusted source (such as a web form) should use the -- separator;before the email addresses (which was fixed to work properly in this update),;or they should be changed to invoke mail -t or sendmail -i -t instead, passing;the recipient addresses as part of the mail header. |
Beschreibung: | Summary: It was discovered that bsd-mailx, an implementation of the mail command, had an undocumented feature which treats syntactically valid email addresses as shell commands to execute. Users who need this feature can re-enable it using the expandaddr in an appropriate mailrc file. This update also removes the obsolete -T option. An older security vulnerability, CVE-2004-2771, had already been addressed in the Debian's bsd-mailx package. Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the -- separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke mail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header. Affected Software/OS: bsd-mailx on Debian Linux Solution: For the stable distribution (wheezy), this problem has been fixed in version 8.1.2-0.20111106cvs-1+deb7u1. We recommend that you upgrade your bsd-mailx packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2004-2771 Debian Security Information: DSA-3105 (Google Search) http://www.debian.org/security/2014/dsa-3105 http://seclists.org/oss-sec/2014/q4/1066 RedHat Security Advisories: RHSA-2014:1999 http://rhn.redhat.com/errata/RHSA-2014-1999.html http://secunia.com/advisories/60940 http://secunia.com/advisories/61585 http://secunia.com/advisories/61693 Common Vulnerability Exposure (CVE) ID: CVE-2014-7844 http://linux.oracle.com/errata/ELSA-2014-1999.html http://www.debian.org/security/2014/dsa-3104 |
Copyright | Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net |
Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |