A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem. This problem has been fixed in version 0.37.3-2.3 for the current stable distribution (woody) and in version 0.40.0-1 for the unstable distribution (sid). The old stable distribution (potato) does not contain Courier sqwebmail packages. courier-ssl packages are also not affected since they don't expose an sqwebmail package. We recommend that you upgrade your sqwebmail package immediately.
A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem.
This problem has been fixed in version 0.37.3-2.3 for the current
stable distribution (woody) and in version 0.40.0-1 for the unstable
distribution (sid). The old stable distribution (potato) does not
contain Courier sqwebmail packages. courier-ssl
packages
are also not affected since they don't expose an sqwebmail package.
We recommend that you upgrade your sqwebmail package immediately.
MD5 checksums of the listed files are available in the original advisory.