<<< Date Index >>>     <<< Thread Index >>>

[CLA-2004:904] Conectiva Security Announcement - cyrus-imapd



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cyrus-imapd
SUMMARY   : Multiple vulnerabilities in cyrus-imapd
DATE      : 2004-12-01 18:21:00
ID        : CLA-2004:904
RELEVANT
RELEASES  : 9, 10

- -------------------------------------------------------------------------

DESCRIPTION
 cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced
 features such as SASL authentication, server-side mail filtering,
 mailbox ACLs and others.
 
 Stefan Esser from e-matters security recently published[2] several
 vulnerabilities in cyrus-imapd:
 
 (if not mentioned otherwise, all vulnerabilities affect both
 Conectiva Linux 9 and 10)
 
 1. "imapmagicplus" buffer overflow (CAN-2004-1011)[3]
 If the "imapmagicplus" option is enabled in the server's
 configuration file, then the LOGIN and PROXY commands can be abused
 to cause a buffer overflow, allowing remote unauthenticated attackers
 to execute arbitrary code as the "cyrus" user.
 
 Later on it has been found that the proxyd service also suffered[6]
 (CAN-2004-1015) from the same problem.
 
 Conectiva Linux 9 is not affected by these vulnerabilities.
 
 
 2. PARTIAL command vulnerability (CAN-2004-1012)[4]
 The PARTIAL command parser has a vulnerability which would allow
 authenticated users to cause a memory corruption and possibly execute
 arbitrary code as the "cyrus" user.
 
 
 3. FETCH command vulnerability (CAN-2004-1013)[5]
 The FETCH command parser has a vulnerability which would allow
 authenticated users to cause a memory corruption and possibly execute
 arbitrary code as the "cyrus" user.
 
 
 All these vulnerabilities have been fixed upstream with new versions
 of cyrus-imapd: 2.2.10 for the 2.2.x branch and 2.1.17 for the 2.1.x
 branch.
 
 Below are additional changes in our RPM packages:
 - for CL10: SNMP support has been removed. It needs a newer net-snmp
 library than the one that is currently being shipped;
 - for CL10: the script which attempts to convert the imapd.conf
 configuration file from 2.1.x to the 2.2.x format has been fixed.
 Previously it would mangle TLS directives;
 - for CL9: the init script has been fixed to allow GSSAPI
 authentication and also to restart the server if it was already
 running;
 - for CL9: the cyrus-imapd package now explicitly conflicts with
 uw-imap-server and uw-pop-server.


SOLUTION
 It is recommended that all cyrus-imapd users upgrade their packages.
 The service will be automatically restarted after the upgrade if
 needed.
 
 
 REFERENCES
 1. http://asg.web.cmu.edu/cyrus/imapd/
 2. http://security.e-matters.de/advisories/152004.html
 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011
 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012
 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013
 6. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015
 7. http://asg.web.cmu.edu/cyrus/download/imapd/changes.html


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/cyrus-imapd-2.2.10-62338U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-static-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-doc-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cyrus-imapd-2.1.17-28805U90_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-static-2.1.17-28805U90_5cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
unsubscribe: conectiva-updates-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBrifp42jd0JmAcZARAl8pAJ9XYSysXc85YP1SecR8c8iXT4W8aQCdFPS7
wuZJWDfIEUeGq3HGN8ExHFY=
=XDib
-----END PGP SIGNATURE-----