Rapid7 Vulnerability & Exploit Database

CESA-2007:0386: mutt security update

Back to Search

CESA-2007:0386: mutt security update

Severity
4
CVSS
(AV:L/AC:H/Au:S/C:P/I:P/A:P)
Published
05/15/2007
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

An updated mutt package that fixes several security bugs is now available for CentOS Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Mutt is a text-mode mail user agent. A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted "Real Name" which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683) All users of mutt should upgrade to this updated package, which contains a backported patches to correct these issues.

Solution(s)

  • centos-upgrade-mutt

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;