Your message dated Tue, 26 Feb 2019 23:38:10 +0000 with message-id <e1gymic-000bvr...@fasolo.debian.org> and subject line Bug#914632: fixed in uw-imap 8:2007f~dfsg-6 has caused the Debian Bug report #914632, regarding uw-imap: CVE-2018-19518 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 914632: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914632 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: uw-imap Version: 8:2007f~dfsg-5 Severity: important Tags: security upstream Hi, The following vulnerability was published for uw-imap. CVE-2018-19518[0]: | University of Washington IMAP Toolkit 2007f on UNIX, as used in | imap_open() in PHP and other products, launches an rsh command (by | means of the imap_rimap function in c-client/imap4r1.c and the | tcp_aopen function in osdep/unix/tcp_unix.c) without preventing | argument injection, which might allow remote attackers to execute | arbitrary OS commands if the IMAP server name is untrusted input (e.g., | entered by a user of a web application) and if rsh has been replaced by | a program with different argument semantics. For example, if rsh is a | link to ssh (as seen on Debian and Ubuntu systems), then the attack can | use an IMAP server name containing a "-oProxyCommand" argument. This was originally filled for PHP (cf. #913775 and cloned bugs), but the issue could possibly be fixed within osdep/unix/tcp_unix.c in the IMAP Toolkit code. See the security-tracker page for further references. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: uw-imap Source-Version: 8:2007f~dfsg-6 We believe that the bug you reported is fixed in the latest version of uw-imap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 914...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Magnus Holmgren <holmg...@debian.org> (supplier of updated uw-imap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 27 Feb 2019 00:08:08 +0100 Source: uw-imap Binary: libc-client2007e libc-client2007e-dbgsym libc-client2007e-dev mlock mlock-dbgsym uw-mailutils uw-mailutils-dbgsym Architecture: source amd64 Version: 8:2007f~dfsg-6 Distribution: unstable Urgency: medium Maintainer: Magnus Holmgren <holmg...@debian.org> Changed-By: Magnus Holmgren <holmg...@debian.org> Description: libc-client2007e - c-client library for mail protocols - library files libc-client2007e-dev - c-client library for mail protocols - development files mlock - mailbox locking program uw-mailutils - c-client support programs Closes: 914632 Changes: uw-imap (8:2007f~dfsg-6) unstable; urgency=medium . * [CVE-2018-19518] 2013_disable_rsh.patch (new): Disable access to IMAP mailboxes through running imapd over rsh, and therefore ssh (Closes: #914632). Code using the library can enable it with tcp_parameters() after making sure that the IMAP server name is sanitized. * Change Priority: extra of -dev package to optional. * Move git repository to salsa.debian.org. Checksums-Sha1: 15edc35513a0bf50a303bebcc50914bb337faa19 2128 uw-imap_2007f~dfsg-6.dsc 92247a666a14f4f9df8e941a025e22d62da0af4b 43756 uw-imap_2007f~dfsg-6.debian.tar.xz e18742a8a66b48729f3f76de46998099c2b8b250 675512 libc-client2007e-dbgsym_2007f~dfsg-6_amd64.deb aa24f30c0e0dffb43629a44c880d1124fc4377ee 527588 libc-client2007e-dev_2007f~dfsg-6_amd64.deb 6acc25e4d7ea884f699f2163c3f06333d431b62a 603700 libc-client2007e_2007f~dfsg-6_amd64.deb 2b881c1813e4f83182980f9038e41cb1e30b68a8 8296 mlock-dbgsym_2007f~dfsg-6_amd64.deb 1a08191bdbd342fe66705733f69888ff440b7896 35384 mlock_2007f~dfsg-6_amd64.deb 256e2739b342ead09f5cbaea911ba8d4226d2c9e 10220 uw-imap_2007f~dfsg-6_amd64.buildinfo 4e0bd4d6ff9e51a9130e2047c9b915268e64dede 67480 uw-mailutils-dbgsym_2007f~dfsg-6_amd64.deb cf523fc04c90265d1e75e08cab13c117697af49b 58276 uw-mailutils_2007f~dfsg-6_amd64.deb Checksums-Sha256: b8891d31b6df15f437a27368453d56b059057e8fc2d5448bd59ccdf5e409fb5c 2128 uw-imap_2007f~dfsg-6.dsc b4448f8630344da8a758d8db3f989272cd7f476adbae1f457d49f61793b71632 43756 uw-imap_2007f~dfsg-6.debian.tar.xz f531a765a79bf5d231144f6c8c831e0a447e71c02dd351e111663ec8a5658f58 675512 libc-client2007e-dbgsym_2007f~dfsg-6_amd64.deb 7f63c9d690b577e5315417c950df00175abae4733f24f30e0f02cce4018e7664 527588 libc-client2007e-dev_2007f~dfsg-6_amd64.deb 6362b2cbd91d6d881a85f6cc2239c1159ab2de0014662fc9b884e480389ed5a2 603700 libc-client2007e_2007f~dfsg-6_amd64.deb ca4a842256060ad0a216220d9260ea67f164a0a7f581cdd8d48bf60340ee9139 8296 mlock-dbgsym_2007f~dfsg-6_amd64.deb 2ca5e5257053f04db3ce49d578c52e1c707089cacb21d4c9420f12d8743a5ce3 35384 mlock_2007f~dfsg-6_amd64.deb 850da4e6d9da6ebcad71047c3374c6610058ce4b19899da9da846394ea574b10 10220 uw-imap_2007f~dfsg-6_amd64.buildinfo f3ecff2f624f49ce800e26fe314dcc3a5804d23ef9dea66773ddde172be9430f 67480 uw-mailutils-dbgsym_2007f~dfsg-6_amd64.deb ae44e9b7addeff02c0d46c56499d5f5c2a8ce9f796972dc39175d45176baa969 58276 uw-mailutils_2007f~dfsg-6_amd64.deb Files: 60b9a34deeccb41a166bb4b511c63931 2128 mail optional uw-imap_2007f~dfsg-6.dsc 5eb7c35a9ea7bc5bf14399b071da07cf 43756 mail optional uw-imap_2007f~dfsg-6.debian.tar.xz 4d4ed0d1e4dd314cd6275369ed85cd24 675512 debug optional libc-client2007e-dbgsym_2007f~dfsg-6_amd64.deb 88ee7f4793c3d444e05bd2dae8d8a491 527588 libdevel optional libc-client2007e-dev_2007f~dfsg-6_amd64.deb 8914c5a2e848d8ef0dbec686babb84ba 603700 libs optional libc-client2007e_2007f~dfsg-6_amd64.deb b796a652f5329f7520fee08e7d5b9fd4 8296 debug optional mlock-dbgsym_2007f~dfsg-6_amd64.deb b4d9dae8a6c3420864847ea9dc437a0e 35384 mail optional mlock_2007f~dfsg-6_amd64.deb 82c9e93093d65024ae10918f8e6defc6 10220 mail optional uw-imap_2007f~dfsg-6_amd64.buildinfo d73d5bf991f8dac5a4d83592b94a93e5 67480 debug optional uw-mailutils-dbgsym_2007f~dfsg-6_amd64.deb 1e7d3ffdf51cd5fb330caa047e001618 58276 mail optional uw-mailutils_2007f~dfsg-6_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEzSoHOzhhVBcKQILo1PIZv+yZhIkFAlx1yWcACgkQ1PIZv+yZ hIladQ/9FWWjXItZlb3MdDlAI29SW+SyMydJchsVqZlh4DHV683Q65UzqO+en5f3 JuwdpJJGYw91yqt3n7STJcu1Qv4ISPfuB3yjal2hHRtjW9oXHN5X2ylZ17zkfjmm /kOOewovgnTIV81+CY/ncwj+zU4iGC3p5auLEpgI851F4WekPs8Gu6eQ0bdkyUf6 JaKRa5dUjOwOoL/6o08PYwOlYVDnzzJJzuuCTdgTM5XtvZy/SdDUUc/OppsaL7LO c/aTLWL8TPPBLsO3n81n59O0iTfTkv6BhIiUfoQTDhrk21yvGUQmC5rKpRRZ9Xi7 SLfFmro+gW1hNUqSaSKcil9V1U9kRu6/OiTenJCkRknmcTwzqFMO53RBT5aH7Wt5 iB+GYbclIAM9+7P3+pmdd1N+/3C+Wc5ux1N4/nvNiI4SVZSnEObtpC8m6Hp7zs9T OJdYgNHHwLsc+LXHpci6MnZbwXPGpnB3W5p8kVoofEx+InJ+zJhkqDCtQgaxA5sM JFhSGHW7FyCeA4sPaMyNh06B+gP2WMazRRY3j0xqnuB8POe4bjJwwUW5OMGYKejQ orCpvK/O+He+TliiXMOlY+FbOLMPNxZn+wxNzUxCKYGOyiAQxuKOoKzFDv0JuKZK M8w74YWkmilN64Q0zY09ko+GIxT0pIDc15Y+1kyRFxdcxGz6wTk= =HNfP -----END PGP SIGNATURE-----
--- End Message ---
