Your message dated Mon, 10 Apr 2006 11:32:41 +0200 (CEST)
with message-id <[EMAIL PROTECTED]>
and subject line pine: security hole in imap support
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: pine
Version: 4.62-1
Severity: grave
Justification: user security hole
http://www.washington.edu/pine/ says:
Note: Install Pine 4.64, or later version, to fix a buffer overflow
problem. Read iDEFENSE Security Advisory for full details.
The advisory is here:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=313
Pine appears to use the UW-IMAP client-side IMAP library, which has a
bug that allows access to the system by the user running Pine.
The version of Pine shipped in Sarge is 4.62 and I've seen no
security-related release to address this issue. I realize that Pine
is in non-free but we're leaving our users out to dry here ...
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.13
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages pine depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libldap2 2.1.30-8 OpenLDAP libraries
ii libncurses5 5.4-4 Shared libraries for terminal hand
ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries
ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap
-- no debconf information
--
Will
--- End Message ---
--- Begin Message ---
On Mon, 16 Jan 2006, Will Lowe wrote:
> Package: pine
> Version: 4.62-1
> Severity: grave
> Justification: user security hole
>
> http://www.washington.edu/pine/ says:
>
> Note: Install Pine 4.64, or later version, to fix a buffer overflow
> problem. Read iDEFENSE Security Advisory for full details.
>
> The advisory is here:
>
> http://www.idefense.com/intelligence/vulnerabilities/display.php?id=313
>
> Pine appears to use the UW-IMAP client-side IMAP library, which has a
> bug that allows access to the system by the user running Pine.
>
> The version of Pine shipped in Sarge is 4.62 and I've seen no
> security-related release to address this issue. I realize that Pine
> is in non-free but we're leaving our users out to dry here ...
Thanks for the report.
I've prepared packages fixing this for woody and sarge, and they are
now in the hands of the security team, so there is not anything more
to do on my side.
--- End Message ---
