-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : cyrus-imapd SUMMARY : Multiple vulnerabilities in cyrus-imapd DATE : 2004-12-01 18:21:00 ID : CLA-2004:904 RELEVANT RELEASES : 9, 10 - ------------------------------------------------------------------------- DESCRIPTION cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced features such as SASL authentication, server-side mail filtering, mailbox ACLs and others. Stefan Esser from e-matters security recently published[2] several vulnerabilities in cyrus-imapd: (if not mentioned otherwise, all vulnerabilities affect both Conectiva Linux 9 and 10) 1. "imapmagicplus" buffer overflow (CAN-2004-1011)[3] If the "imapmagicplus" option is enabled in the server's configuration file, then the LOGIN and PROXY commands can be abused to cause a buffer overflow, allowing remote unauthenticated attackers to execute arbitrary code as the "cyrus" user. Later on it has been found that the proxyd service also suffered[6] (CAN-2004-1015) from the same problem. Conectiva Linux 9 is not affected by these vulnerabilities. 2. PARTIAL command vulnerability (CAN-2004-1012)[4] The PARTIAL command parser has a vulnerability which would allow authenticated users to cause a memory corruption and possibly execute arbitrary code as the "cyrus" user. 3. FETCH command vulnerability (CAN-2004-1013)[5] The FETCH command parser has a vulnerability which would allow authenticated users to cause a memory corruption and possibly execute arbitrary code as the "cyrus" user. All these vulnerabilities have been fixed upstream with new versions of cyrus-imapd: 2.2.10 for the 2.2.x branch and 2.1.17 for the 2.1.x branch. Below are additional changes in our RPM packages: - for CL10: SNMP support has been removed. It needs a newer net-snmp library than the one that is currently being shipped; - for CL10: the script which attempts to convert the imapd.conf configuration file from 2.1.x to the 2.2.x format has been fixed. Previously it would mangle TLS directives; - for CL9: the init script has been fixed to allow GSSAPI authentication and also to restart the server if it was already running; - for CL9: the cyrus-imapd package now explicitly conflicts with uw-imap-server and uw-pop-server. SOLUTION It is recommended that all cyrus-imapd users upgrade their packages. The service will be automatically restarted after the upgrade if needed. REFERENCES 1. http://asg.web.cmu.edu/cyrus/imapd/ 2. http://security.e-matters.de/advisories/152004.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013 6. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015 7. http://asg.web.cmu.edu/cyrus/download/imapd/changes.html UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/10/SRPMS/cyrus-imapd-2.2.10-62338U10_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-2.2.10-62338U10_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-2.2.10-62338U10_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-static-2.2.10-62338U10_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-doc-2.2.10-62338U10_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/cyrus-imapd-2.1.17-28805U90_5cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-2.1.17-28805U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-2.1.17-28805U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-static-2.1.17-28805U90_5cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx unsubscribe: conectiva-updates-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFBrifp42jd0JmAcZARAl8pAJ9XYSysXc85YP1SecR8c8iXT4W8aQCdFPS7 wuZJWDfIEUeGq3HGN8ExHFY= =XDib -----END PGP SIGNATURE-----
