DebianDEBIAN:DLA-383-1:08B04[SECURITY] [DLA 383-1] claws-mail security update
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.2 Medium
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.2%
PackageĀ Ā Ā Ā Ā Ā Ā Ā : claws-mail
VersionĀ Ā Ā Ā Ā Ā Ā Ā : 3.7.6-4+squeeze2
CVE IDĀ Ā Ā Ā Ā Ā Ā Ā Ā : CVE-2015-8614 CVE-2015-8708
"DrWhax" of the Tails project reported that Claws Mail is missing
range checks in some text conversion functions.Ā Ā A remote attacker
could exploit this to run arbitrary code under the account of a user
that receives a message from them using Claws Mail.
CVE-2015-8614
There were no checks on the output length for conversions between
Ā Ā Ā Ā JIS (ISO-2022-JP) and EUC-JP, between JIS and UTF-8, and from
Ā Ā Ā Ā Shift_JIS to EUC-JP.
CVE-2015-8708
The original fix for CVE-2015-8614 was incomplete.
For the oldoldstable distribution (squeeze), these problems have been
fixed in version 3.7.6-4+squeeze2.
For the oldstable distribution (wheezy) and the stable distribution
(jessie), this will be fixed soon.Ā Ā These versions were built with
hardening features that make this issue harder to exploit.
ā
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 6 | i386 | libclaws-mail-dev | <Ā 3.7.6-4+squeeze2 | libclaws-mail-dev_3.7.6-4+squeeze2_i386.deb |
| Debian | 6 | amd64 | claws-mail-trayicon | <Ā 3.7.6-4+squeeze2 | claws-mail-trayicon_3.7.6-4+squeeze2_amd64.deb |
| Debian | 6 | i386 | claws-mail | <Ā 3.7.6-4+squeeze2 | claws-mail_3.7.6-4+squeeze2_i386.deb |
| Debian | 6 | all | claws-mail-i18n | <Ā 3.7.6-4+squeeze2 | claws-mail-i18n_3.7.6-4+squeeze2_all.deb |
| Debian | 6 | amd64 | claws-mail-dbg | <Ā 3.7.6-4+squeeze2 | claws-mail-dbg_3.7.6-4+squeeze2_amd64.deb |
| Debian | 6 | amd64 | claws-mail-smime-plugin | <Ā 3.7.6-4+squeeze2 | claws-mail-smime-plugin_3.7.6-4+squeeze2_amd64.deb |
| Debian | 6 | amd64 | claws-mail-pgpinline | <Ā 3.7.6-4+squeeze2 | claws-mail-pgpinline_3.7.6-4+squeeze2_amd64.deb |
| Debian | 6 | all | claws-mail-tools | <Ā 3.7.6-4+squeeze2 | claws-mail-tools_3.7.6-4+squeeze2_all.deb |
| Debian | 6 | amd64 | libclaws-mail-dev | <Ā 3.7.6-4+squeeze2 | libclaws-mail-dev_3.7.6-4+squeeze2_amd64.deb |
| Debian | 6 | amd64 | claws-mail | <Ā 3.7.6-4+squeeze2 | claws-mail_3.7.6-4+squeeze2_amd64.deb |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.2 Medium
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.2%