[CLA-2004:904] Conectiva Security Announcement - cyrus-imapd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : cyrus-imapd
SUMMARY : Multiple vulnerabilities in cyrus-imapd
DATE : 2004-12-01 18:21:00
ID : CLA-2004:904
RELEVANT
RELEASES : 9, 10
- -------------------------------------------------------------------------
DESCRIPTION
cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced
features such as SASL authentication, server-side mail filtering,
mailbox ACLs and others.
Stefan Esser from e-matters security recently published[2] several
vulnerabilities in cyrus-imapd:
(if not mentioned otherwise, all vulnerabilities affect both
Conectiva Linux 9 and 10)
1. "imapmagicplus" buffer overflow (CAN-2004-1011)[3]
If the "imapmagicplus" option is enabled in the server's
configuration file, then the LOGIN and PROXY commands can be abused
to cause a buffer overflow, allowing remote unauthenticated attackers
to execute arbitrary code as the "cyrus" user.
Later on it has been found that the proxyd service also suffered[6]
(CAN-2004-1015) from the same problem.
Conectiva Linux 9 is not affected by these vulnerabilities.
2. PARTIAL command vulnerability (CAN-2004-1012)[4]
The PARTIAL command parser has a vulnerability which would allow
authenticated users to cause a memory corruption and possibly execute
arbitrary code as the "cyrus" user.
3. FETCH command vulnerability (CAN-2004-1013)[5]
The FETCH command parser has a vulnerability which would allow
authenticated users to cause a memory corruption and possibly execute
arbitrary code as the "cyrus" user.
All these vulnerabilities have been fixed upstream with new versions
of cyrus-imapd: 2.2.10 for the 2.2.x branch and 2.1.17 for the 2.1.x
branch.
Below are additional changes in our RPM packages:
- for CL10: SNMP support has been removed. It needs a newer net-snmp
library than the one that is currently being shipped;
- for CL10: the script which attempts to convert the imapd.conf
configuration file from 2.1.x to the 2.2.x format has been fixed.
Previously it would mangle TLS directives;
- for CL9: the init script has been fixed to allow GSSAPI
authentication and also to restart the server if it was already
running;
- for CL9: the cyrus-imapd package now explicitly conflicts with
uw-imap-server and uw-pop-server.
SOLUTION
It is recommended that all cyrus-imapd users upgrade their packages.
The service will be automatically restarted after the upgrade if
needed.
REFERENCES
1. http://asg.web.cmu.edu/cyrus/imapd/
2. http://security.e-matters.de/advisories/152004.html
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013
6. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015
7. http://asg.web.cmu.edu/cyrus/download/imapd/changes.html
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/cyrus-imapd-2.2.10-62338U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-static-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-doc-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cyrus-imapd-2.1.17-28805U90_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-static-2.1.17-28805U90_5cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
unsubscribe: conectiva-updates-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFBrifp42jd0JmAcZARAl8pAJ9XYSysXc85YP1SecR8c8iXT4W8aQCdFPS7
wuZJWDfIEUeGq3HGN8ExHFY=
=XDib
-----END PGP SIGNATURE-----