-------------------------------------------------------------------------- Debian Security Advisory DSA 347-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman July 8th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : teapop Vulnerability : SQL injection Problem-Type : remote Debian-specific: no CVE Ids : CAN-2003-0515 teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.
net-mail/teapop-0.3.5 is still in the portage tree. It needs to be package.masked fixed or removed from the tree all together. I see no updated versions at the teapop homepage at http://www.toontown.org/teapop/download.php patches/workarounds welcome.
.