Impact
An authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu server. Details about the vulnerbaility and exploitation path will be published later.
Mailu servers that have open registration or untrusted users are most likely to be impacted.
Mailu servers that do not have the (optional) fetchmail feature enabled are not impacted.
Patches
- The
master and 1.7 branches are patched on our git repository.
- All Docker images published on docker.io/mailu for tags
1.5, 1.6, 1.7 and master are patched.
For detailed instructions about patching and securing the server afterwards, see #1354
Workarounds
One of these workarounds should prevent exploitation:
- Bring the fetchmail service down:
docker-compose stop fetchmail
- Bring the Mailu stack down:
docker-compose stop
For detailed instructions, see #1354
References
- Detailed instructions: #1354
For more information
If you have any questions or comments about this advisory, please comment on the dedicated thread: #1355
If you have specific questions that you cannot ask in public, please contact us at: contact@mailu.io.
Impact
An authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu server. Details about the vulnerbaility and exploitation path will be published later.
Mailu servers that have open registration or untrusted users are most likely to be impacted.
Mailu servers that do not have the (optional) fetchmail feature enabled are not impacted.
Patches
masterand1.7branches are patched on our git repository.1.5,1.6,1.7andmasterare patched.For detailed instructions about patching and securing the server afterwards, see #1354
Workarounds
One of these workarounds should prevent exploitation:
docker-compose stop fetchmaildocker-compose stopFor detailed instructions, see #1354
References
For more information
If you have any questions or comments about this advisory, please comment on the dedicated thread: #1355
If you have specific questions that you cannot ask in public, please contact us at: contact@mailu.io.