Debian DLA-1700-1 : uw-imap security update
High Nessus Plugin ID 122548
SynopsisThe remote Debian host is missing a security update.
DescriptionA vulnerability was discovered in uw-imap, the University of Washington IMAP Toolkit, that might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics.
This update disables access to IMAP mailboxes through running imapd over rsh, and therefore ssh for users of the client application. Code which uses the library can still enable it with tcp_parameters() after making sure that the IMAP server name is sanitized.
For Debian 8 'Jessie', this problem has been fixed in version 8:2007f~dfsg-4+deb8u1.
We recommend that you upgrade your uw-imap packages.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.