-------------------------------------------------------------------------- Debian Security Advisory DSA 373-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman August 16th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : autorespond Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Ids : CAN-2003-0654 Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.
http://www.debian.org/security/2003/dsa-373 net-mail/qmail-autoresponder-0.96.1 is currently whats in portage. The CVE contained no version info so tracking this down (whats vuln and whats not) is a little pain in the rear. Best I can tell is the version we have in portage is really old. (Is there a reason for this?) http://www.debian.org/security/2003/dsa-373 has patches for 2.02 of the autoresponder.
ok as we cant seem to get a responce from anybody from net-mail on this. I'm going to have to package.mask everything below <2.02
now maked in package.mask revision 1.2421
i did a little research and found that autorespond != qmail-autoresponder qmail-autoresponder is at http://untroubled.org/qmail-autoresponder/ autorespond is at <http://www.netmeridian.com/e-huss/autorespond.tar.gz> and was modified by debian. their modified source is linked to from the original advisory at <http://lists.debian.org/debian-security-announce/debian-security-announce-2003/ msg00175.html> removed qmail-autoresponder from package.mask rev 1.2422 fyi we do not have, and do not need an ebuild for autorespond. i believe that qmail-autoresponder is more robust and better maintained.
thanks rajiv