Recently Alt-N received a report from a security researcher describing how WorldClient, MDaemon’s web-based email client, can be exploited by authenticated users in a way that can lead to remote code execution. The Alt-N development team has built and tested a patch to correct the potential vulnerability.
What versions of MDaemon are affected?
MDaemon versions 13.0, 13.5, 13.6, and 14.0.0 are affected.
Can I upgrade even if I don’t have upgrade protection?
Yes. Alt-N has prepared a special build for your version. For example if you run version 13.5.x today download the 13.5.3 version from the download page.
What is the security impact?
Unscrupulous users could potentially upload code that will be executed by the server.
Specific information about the vulnerability, such as how to perform the exploit, has not been made public yet.
What do I need to do in order to resolve this issue?
Simply download the appropriate patch listed on this page: http://www.altn.com/Support/SecurityUpdate/MD051314_MDaemon_EN/. As mentioned above there is no requirement to renew Upgrade Protection to obtain the fix.
If you have any other questions regarding this please feel free to email firstname.lastname@example.org