Debian Local Security Checks : Debian Security Advisory DSA 3105-1 (heirloom-mailx

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.703105

Categoría: Debian Local Security Checks

Título: Debian Security Advisory DSA 3105-1 (heirloom-mailx - security update)

Resumen: Two security vulnerabilities were;discovered in Heirloom mailx, an implementation of the mail command:;;CVE-2004-2771;mailx interprets interprets shell meta-characters in certain email;addresses.;;CVE-2014-7844;An unexpected feature of mailx treats syntactically valid email;addresses as shell commands to execute.;;Shell command execution can be re-enabled using the expandaddr;option.;;Note that this security update does not remove all mailx facilities;for command execution, though. Scripts which send mail to addresses;obtained from an untrusted source (such as a web form) should use the;; - - separator before the email addresses (which was fixed to work;properly in this update), or they should be changed to invoke;mail -t or sendmail -i -t instead, passing the recipient addresses;as part of the mail header.

Descripción: Summary:
Two security vulnerabilities were
discovered in Heirloom mailx, an implementation of the mail command:

CVE-2004-2771
mailx interprets interprets shell meta-characters in certain email
addresses.

CVE-2014-7844
An unexpected feature of mailx treats syntactically valid email
addresses as shell commands to execute.

Shell command execution can be re-enabled using the expandaddr
option.

Note that this security update does not remove all mailx facilities
for command execution, though. Scripts which send mail to addresses
obtained from an untrusted source (such as a web form) should use the

- - separator before the email addresses (which was fixed to work
properly in this update), or they should be changed to invoke
mail -t or sendmail -i -t instead, passing the recipient addresses
as part of the mail header.

Affected Software/OS:
heirloom-mailx on Debian Linux

Solution:
For the stable distribution (wheezy),
these problems have been fixed in version 12.5-2+deb7u1.

We recommend that you upgrade your heirloom-mailx packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2004-2771
Debian Security Information: DSA-3105 (Google Search)
http://www.debian.org/security/2014/dsa-3105
http://seclists.org/oss-sec/2014/q4/1066
RedHat Security Advisories: RHSA-2014:1999
http://rhn.redhat.com/errata/RHSA-2014-1999.html
http://secunia.com/advisories/60940
http://secunia.com/advisories/61585
http://secunia.com/advisories/61693
Common Vulnerability Exposure (CVE) ID: CVE-2014-7844
http://linux.oracle.com/errata/ELSA-2014-1999.html
http://www.debian.org/security/2014/dsa-3104

Copyright Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.703105
Categoría:	Debian Local Security Checks
Título:	Debian Security Advisory DSA 3105-1 (heirloom-mailx - security update)
Resumen:	Two security vulnerabilities were;discovered in Heirloom mailx, an implementation of the mail command:;;CVE-2004-2771;mailx interprets interprets shell meta-characters in certain email;addresses.;;CVE-2014-7844;An unexpected feature of mailx treats syntactically valid email;addresses as shell commands to execute.;;Shell command execution can be re-enabled using the expandaddr;option.;;Note that this security update does not remove all mailx facilities;for command execution, though. Scripts which send mail to addresses;obtained from an untrusted source (such as a web form) should use the;; - - separator before the email addresses (which was fixed to work;properly in this update), or they should be changed to invoke;mail -t or sendmail -i -t instead, passing the recipient addresses;as part of the mail header.
Descripción:	Summary: Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the mail command: CVE-2004-2771 mailx interprets interprets shell meta-characters in certain email addresses. CVE-2014-7844 An unexpected feature of mailx treats syntactically valid email addresses as shell commands to execute. Shell command execution can be re-enabled using the expandaddr option. Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the - - separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke mail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header. Affected Software/OS: heirloom-mailx on Debian Linux Solution: For the stable distribution (wheezy), these problems have been fixed in version 12.5-2+deb7u1. We recommend that you upgrade your heirloom-mailx packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2004-2771 Debian Security Information: DSA-3105 (Google Search) http://www.debian.org/security/2014/dsa-3105 http://seclists.org/oss-sec/2014/q4/1066 RedHat Security Advisories: RHSA-2014:1999 http://rhn.redhat.com/errata/RHSA-2014-1999.html http://secunia.com/advisories/60940 http://secunia.com/advisories/61585 http://secunia.com/advisories/61693 Common Vulnerability Exposure (CVE) ID: CVE-2014-7844 http://linux.oracle.com/errata/ELSA-2014-1999.html http://www.debian.org/security/2014/dsa-3104
Copyright	Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net