Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14910
HistoryNov 03, 2006 - 12:00 a.m.

[Full-disclosure] [SECURITY] [DSA 1204-1] New ingo1 packages fix arbitrary shell command execution

2006-11-0300:00:00
vulners.com
34
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Debian Security Advisory DSA 1204-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
November 2nd, 2006 http://www.debian.org/security/faq

Package : ingo1
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-5449
Debian Bug : 396099

It was discovered that the Ingo email filter rules manager performs
insufficient escaping of user-provided data in created procmail rules
files, which allows the execution of arbitrary shell commands.

For the stable distribution (sarge), this problem has been fixed in
version 1.0.1-1sarge1.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.2-1.

We recommend that you upgrade your ingo1 package.

Upgrade Instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1-1sarge1.dsc
  Size/MD5 checksum:      683 b8be1fc591da938deb08cb78a9d42f0d
http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1-1sarge1.diff.gz
  Size/MD5 checksum:     5161 358e14a64fe43a56cc1b9742f271c3ec
http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1.orig.tar.gz
  Size/MD5 checksum:   733108 509bf92a2ee44597d6ffd9a0a9b4a039

Architecture independent components:

http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1-1sarge1_all.deb
  Size/MD5 checksum:   760018 83f7044a2861f8e6aaea0c684fb2f6e0

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/&lt;pkg&gt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFSoLZXm3vHE4uyloRAmikAJ9wxVnvsfGUoJ2RMKPYHKhHj3ohPACfQkBf
N/hCLdcpjKz+Q/Jz/VxGsZ0=
=a886
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

cve 1
nessus 4
openvas 6
gentoo 1
osv 1
debian 1
freebsd 1
ubuntucve 1
cve
cve
CVE-2006-5449
2006-10-23 17:07:00
nessus
nessus
Ingo Foldername Arbitrary Command Execution
2006-10-20 00:00:00
FreeBSD : ingo -- local arbitrary shell command execution (18a14baa-5ee5-11db-ae08-0008743bf21a)
2006-10-20 00:00:00
GLSA-200611-22 : Ingo H3: Folder name shell command injection
2006-11-27 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-1204-1)
2008-01-17 00:00:00
Debian Security Advisory DSA 1204-1 (ingo1)
2008-01-17 00:00:00
FreeBSD Ports: ingo
2008-09-04 00:00:00
gentoo
gentoo
Ingo H3: Folder name shell command injection
2006-11-27 00:00:00
osv
osv
ingo1
2006-11-02 00:00:00
debian
debian
[SECURITY] [DSA 1204-1] New ingo1 packages fix arbitrary shell command execution
2006-11-02 23:46:19
freebsd
freebsd
ingo -- local arbitrary shell command execution
2006-10-18 00:00:00
ubuntucve
ubuntucve
CVE-2006-5449
2006-10-23 00:00:00
JSON
Related for SECURITYVULNS:DOC:14910
cve1nessus4openvas6gentoo1osv1debian1freebsd1ubuntucve1