Note: This is an archival copy of Security Sun Alert 200360 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000253.1.
Date of Workaround Release
Date of Resolved Release
On Sun Linux and Sun Cobalt systems, a remote user may be able to execute arbitrary commands with access rights of another user who is running the "fetchmail" program. Depending on the system's configuration, this could lead to unauthorized root access.
This issue is described in
2. Contributing Factors
This issue can occur in the following releases:
Sun Linux 5.0
Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server.
There are no symptoms that would show the described issue has been exploited on a system.
As a possible workaround, for Sun Cobalt Server Appliances (Qube 3, and Qube 2) disable remote mail acquisition through the Cobalt GUI (go to the "Email Services" tab under "Remote Retrieval" and uncheck the "Enable Remote Retrieval" check box). As a result, remote mail retrieval will not function until re-enabled.
This issue is addressed in the following releases:
Sun Linux 5.0
Cobalt Qube 3
Instructions for downloading the above packages can be found in 1234813.1 in MyOracleSupport.
Note: This Sun Alert was originally created to resolve the issue described in http://security.e-matters.de/advisories/032002.html.
The above patches address the issues described in http://security.e-matters.de/advisories/052002.html also.
Sun Cobalt Qube 3 Server
24-JUN-2003: Updated Resolution section. Resolved.
This solution has no attachment