Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 26780
Alias:
Product:
Component:
Status: RESOLVED
Resolution: INVALID
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Daniel Ahlberg (RETIRED) <aliz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 26780 depends on: Show dependency tree
Bug 26780 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-08-17 00:42 0000 
-------------------------------------------------------------------------- 
Debian Security Advisory DSA 373-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
August 16th, 2003                       http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : autorespond 
Vulnerability  : buffer overflow 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2003-0654 
 
Christian Jaeger discovered a buffer overflow in autorespond, an email 
autoresponder used with qmail.  This vulnerability could potentially 
be exploited by a remote attacker to gain the privileges of a user who 
has configured qmail to forward messages to autorespond.  This 
vulnerability is currently not believed to be exploitable due to 
incidental limits on the length of the problematic input, but there 
may be situations in which these limits do not apply.

------- Comment #1 From solar 2003-09-22 01:03:21 0000 ------- 
http://www.debian.org/security/2003/dsa-373

net-mail/qmail-autoresponder-0.96.1 is currently whats in portage.
The CVE contained no version info so tracking this down (whats vuln and whats not) is a little pain in the rear. 

Best I can tell is the version we have in portage is really old. (Is there a reason for this?) 

http://www.debian.org/security/2003/dsa-373 has patches for 2.02 of the autoresponder.

------- Comment #2 From solar 2003-09-24 11:32:04 0000 ------- 
ok as we cant seem to get a responce from anybody from net-mail on this. I'm
going to have to package.mask everything below <2.02

------- Comment #3 From solar 2003-09-24 11:35:36 0000 ------- 
now maked in package.mask revision 1.2421

------- Comment #4 From Rajiv Aaron Manglani 2003-09-25 00:43:05 0000 ------- 
i did a little research and found that autorespond != qmail-autoresponder

qmail-autoresponder is at http://untroubled.org/qmail-autoresponder/

autorespond is at <http://www.netmeridian.com/e-huss/autorespond.tar.gz> and was
modified by debian. their modified source is linked to from the original advisory at
<http://lists.debian.org/debian-security-announce/debian-security-announce-2003/
msg00175.html>

removed qmail-autoresponder from package.mask rev 1.2422


fyi we do not have, and do not need an ebuild for autorespond. i believe that
qmail-autoresponder is more robust and better maintained.

------- Comment #5 From solar 2003-09-26 01:22:18 0000 ------- 
thanks rajiv
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug