[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QOrHE-0007UE-Lb@titan.mandriva.com>
Date: Tue, 24 May 2011 15:04:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:100 ] cyrus-imapd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:100
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cyrus-imapd
Date : May 24, 2011
Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been identified and fixed in cyrus-imapd:
The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does
not properly restrict I/O buffering, which allows man-in-the-middle
attackers to insert commands into encrypted sessions by sending a
cleartext command that is processed after TLS is in place, related to
a plaintext command injection attack, a similar issue to CVE-2011-0411
(CVE-2011-1926).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1926
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
498d5b68bb40c8f647ee02665beb3646 2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
52718b5cd0166f62fa15bf6f4ec65d56 2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
34e7b7a7cd5f7cad2dc6e068164b0fdc 2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
33e98b4e6bcf6ce9dd16e44b0ca75701 2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
9a3803b65facdf6f35b6d9056ce79a47 2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
37252ed6cfb44699178c1beef4db9e9b 2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
6f396249a59b1f73d015102ce85b70ed 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
9c80de09df788a63bcaff8dbac7ae51e 2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
83839c1d5e23260b3b9568f67d9263bb 2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
7eba11d541e46f84274455f4e2e73783 2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
6dd7cba369978b229826fbadb52c6281 2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
55d2a884babf37537c0893410be5999e 2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
c517ce121ead39692cbc5d3e6d0bd035 2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
6f396249a59b1f73d015102ce85b70ed 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm
Mandriva Linux 2010.1:
a1424b6d2116c8d04ddf599d47d0066c 2010.1/i586/cyrus-imapd-2.3.15-10.2mdv2010.2.i586.rpm
979e2a7916c2169592188d798fc9afc3 2010.1/i586/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.i586.rpm
d8220c9ae8b12aba911d1ca3c1d8d9bc 2010.1/i586/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.i586.rpm
da26c65b19ea37a05423367287914a1d 2010.1/i586/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.i586.rpm
bd15ad1797b25046fa1f5fc6223041a3 2010.1/i586/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.i586.rpm
202641315ef7e281b0ac9d49b41dc5b2 2010.1/i586/perl-Cyrus-2.3.15-10.2mdv2010.2.i586.rpm
907ddfe3b1ca22885fd437edc7f38a54 2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
98084c7318761c7e716c9704b41599df 2010.1/x86_64/cyrus-imapd-2.3.15-10.2mdv2010.2.x86_64.rpm
fe1845c0fb1f518b7b4589e59eb522dd 2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.x86_64.rpm
ff61a5b78885d513be547c5d3abe5e5b 2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.x86_64.rpm
8b77e0f150e904d529c9742ee6531619 2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.x86_64.rpm
2c51ef5a91da31245b8b12dcbdd1af84 2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.x86_64.rpm
b26c3480fa743eef4a9241b1be75cf91 2010.1/x86_64/perl-Cyrus-2.3.15-10.2mdv2010.2.x86_64.rpm
907ddfe3b1ca22885fd437edc7f38a54 2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm
Corporate 4.0:
45c23a293396522a89503b10a8f5db1f corporate/4.0/i586/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
91eb948568050fabe11c6eb55b90a26e corporate/4.0/i586/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
5a8b99fe60f67a158a1610cfb85fdc79 corporate/4.0/i586/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
87eeee87f8777f16f210c8364f107ba0 corporate/4.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
0b802cff2c75731783dde8bafde043ee corporate/4.0/i586/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
d27c5d8a57ea4adcf29c252c74a95720 corporate/4.0/i586/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
ade0c37e3e36d2504f9700cd94f2dc74 corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
1f5cae7f38de7492414d31226ba2676e corporate/4.0/x86_64/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
21189c14023ad6edcf7433a0932caf59 corporate/4.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
c862cf5ed064b9bb28523d87f1077920 corporate/4.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
d501b94549efb93571eef10f352fd795 corporate/4.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
9aa31a3991d96607132fec6250501fa4 corporate/4.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
b29f43dbabf91ad0373da71e5c2def91 corporate/4.0/x86_64/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
ade0c37e3e36d2504f9700cd94f2dc74 corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
44ccd362ff4536d279c6bc766fdde321 mes5/i586/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
dad6eac600091c4da1d8faebfa1e82b8 mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
3fece92c479e94610d82c590530af616 mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
c3d98ddbedac750bf27eec165c5b5902 mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
3275d942a0be02ca5c5810e181dcd518 mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
9b75bc3f9437bd461e8ad8e057be1f39 mes5/i586/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
797d5d4a98b15d89a16b60b13a9782fc mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
64262442694df3a279c20ff7fbcc2588 mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
f638482001851e8356435b9cdca935d8 mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
f8039806879ebd5dc67b3bf5640b82a5 mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
3f746817849822daf1271b5357d5fe84 mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
ea74bb4cd9bb9734ffd16f30fe77fb0d mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
1a21b438502b53ce5121608a2e95450e mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
797d5d4a98b15d89a16b60b13a9782fc mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN23yjmqjQ0CJFipgRAofTAKCbzecv2sfr6Sed19e3ToSx9i6gtQCgg6/B
10VNAxDouhTji/NBIie0PVc=
=6jGs
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists