Secure testing team - Dec 2011 - Bug#653238: alpine vulnerable to CVE-2008-5514

Package: alpine
Version: 2.00+dfsg-6
Severity: grave
Tags: security
Justification: user security hole

The alpine package does not include a fix for CVE-2008-5514.

Vulnerable: lenny lenny-backports squeeze
Fixed in upstream: wheezy sid

The patch is available at [1]. Note since that version is written for
uw-imap, the path to rfc822.c is imap/src/c-client/rfc822.c.

 [1]
http://people.debian.org/~nion/nmu-diff/uw-imap-2007b~dfsg-1_2007b~dfsg-1.1.patch

~jon.


-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (750, ''stable''), (70,
''oldstable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages alpine depends on:
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libncurses5         5.7+20100313-5       shared libraries for terminal hand
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libssl0.9.8         0.9.8o-4squeeze4     SSL shared libraries

alpine recommends no packages.

Versions of packages alpine suggests:
ii  aspell                  0.60.6-4         GNU Aspell spell-checker
ii  postfix [mail-transport 2.7.1-1+squeeze1 High-performance mail transport ag

-- debconf-show failed