Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200411-34 ] Cyrus IMAP Server: Multiple remote vulnerabilities
Date: Thu, 25 Nov 2004 09:43:27
Message-Id: 41A5A8E8.7010904@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200411-34
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Cyrus IMAP Server: Multiple remote vulnerabilities
9 Date: November 25, 2004
10 Bugs: #72194
11 ID: 200411-34
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The Cyrus IMAP Server contains multiple vulnerabilities which could
19 lead to remote execution of arbitrary code.
20
21 Background
22 ==========
23
24 The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail
25 server.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-mail/cyrus-imapd < 2.2.10 >= 2.2.10
34
35 Description
36 ===========
37
38 Multiple vulnerabilities have been discovered in the argument parsers
39 of the 'partial' and 'fetch' commands of the Cyrus IMAP Server
40 (CAN-2004-1012, CAN-2004-1013). There are also buffer overflows in the
41 'imap magic plus' code that are vulnerable to exploitation as well
42 (CAN-2004-1011, CAN-2004-1015).
43
44 Impact
45 ======
46
47 An attacker can exploit these vulnerabilities to execute arbitrary code
48 with the rights of the user running the Cyrus IMAP Server.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All Cyrus-IMAP Server users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.2.10"
62
63 References
64 ==========
65
66 [ 1 ] CAN-2004-1011
67 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011
68 [ 2 ] CAN-2004-1012
69 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012
70 [ 3 ] CAN-2004-1013
71 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013
72 [ 4 ] CAN-2004-1015
73 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015
74 [ 5 ] e-matters Advisory
75 http://security.e-matters.de/advisories/152004.html
76 [ 6 ] Cyrus IMAP Server ChangeLog
77 http://asg.web.cmu.edu/cyrus/download/imapd/changes.html
78
79 Availability
80 ============
81
82 This GLSA and any updates to it are available for viewing at
83 the Gentoo Security Website:
84
85 http://security.gentoo.org/glsa/glsa-200411-34.xml
86
87 Concerns?
88 =========
89
90 Security is a primary focus of Gentoo Linux and ensuring the
91 confidentiality and security of our users machines is of utmost
92 importance to us. Any security concerns should be addressed to
93 security@g.o or alternatively, you may file a bug at
94 http://bugs.gentoo.org.
95
96 License
97 =======
98
99 Copyright 2004 Gentoo Foundation, Inc; referenced text
100 belongs to its owner(s).
101
102 The contents of this document are licensed under the
103 Creative Commons - Attribution / Share Alike license.
104
105 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature