lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QOrHE-0007UE-Lb@titan.mandriva.com>
Date: Tue, 24 May 2011 15:04:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:100 ] cyrus-imapd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:100
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : cyrus-imapd
 Date    : May 24, 2011
 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been identified and fixed in cyrus-imapd:
 
 The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does
 not properly restrict I/O buffering, which allows man-in-the-middle
 attackers to insert commands into encrypted sessions by sending a
 cleartext command that is processed after TLS is in place, related to
 a plaintext command injection attack, a similar issue to CVE-2011-0411
 (CVE-2011-1926).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1926
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 498d5b68bb40c8f647ee02665beb3646  2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 52718b5cd0166f62fa15bf6f4ec65d56  2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 34e7b7a7cd5f7cad2dc6e068164b0fdc  2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 33e98b4e6bcf6ce9dd16e44b0ca75701  2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 9a3803b65facdf6f35b6d9056ce79a47  2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 37252ed6cfb44699178c1beef4db9e9b  2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 
 6f396249a59b1f73d015102ce85b70ed  2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 9c80de09df788a63bcaff8dbac7ae51e  2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 83839c1d5e23260b3b9568f67d9263bb  2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 7eba11d541e46f84274455f4e2e73783  2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 6dd7cba369978b229826fbadb52c6281  2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 55d2a884babf37537c0893410be5999e  2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 c517ce121ead39692cbc5d3e6d0bd035  2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 
 6f396249a59b1f73d015102ce85b70ed  2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 a1424b6d2116c8d04ddf599d47d0066c  2010.1/i586/cyrus-imapd-2.3.15-10.2mdv2010.2.i586.rpm
 979e2a7916c2169592188d798fc9afc3  2010.1/i586/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.i586.rpm
 d8220c9ae8b12aba911d1ca3c1d8d9bc  2010.1/i586/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.i586.rpm
 da26c65b19ea37a05423367287914a1d  2010.1/i586/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.i586.rpm
 bd15ad1797b25046fa1f5fc6223041a3  2010.1/i586/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.i586.rpm
 202641315ef7e281b0ac9d49b41dc5b2  2010.1/i586/perl-Cyrus-2.3.15-10.2mdv2010.2.i586.rpm 
 907ddfe3b1ca22885fd437edc7f38a54  2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 98084c7318761c7e716c9704b41599df  2010.1/x86_64/cyrus-imapd-2.3.15-10.2mdv2010.2.x86_64.rpm
 fe1845c0fb1f518b7b4589e59eb522dd  2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.x86_64.rpm
 ff61a5b78885d513be547c5d3abe5e5b  2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.x86_64.rpm
 8b77e0f150e904d529c9742ee6531619  2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.x86_64.rpm
 2c51ef5a91da31245b8b12dcbdd1af84  2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.x86_64.rpm
 b26c3480fa743eef4a9241b1be75cf91  2010.1/x86_64/perl-Cyrus-2.3.15-10.2mdv2010.2.x86_64.rpm 
 907ddfe3b1ca22885fd437edc7f38a54  2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm

 Corporate 4.0:
 45c23a293396522a89503b10a8f5db1f  corporate/4.0/i586/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 91eb948568050fabe11c6eb55b90a26e  corporate/4.0/i586/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 5a8b99fe60f67a158a1610cfb85fdc79  corporate/4.0/i586/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 87eeee87f8777f16f210c8364f107ba0  corporate/4.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 0b802cff2c75731783dde8bafde043ee  corporate/4.0/i586/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 d27c5d8a57ea4adcf29c252c74a95720  corporate/4.0/i586/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm 
 ade0c37e3e36d2504f9700cd94f2dc74  corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 1f5cae7f38de7492414d31226ba2676e  corporate/4.0/x86_64/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 21189c14023ad6edcf7433a0932caf59  corporate/4.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 c862cf5ed064b9bb28523d87f1077920  corporate/4.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 d501b94549efb93571eef10f352fd795  corporate/4.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 9aa31a3991d96607132fec6250501fa4  corporate/4.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 b29f43dbabf91ad0373da71e5c2def91  corporate/4.0/x86_64/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm 
 ade0c37e3e36d2504f9700cd94f2dc74  corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 44ccd362ff4536d279c6bc766fdde321  mes5/i586/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 dad6eac600091c4da1d8faebfa1e82b8  mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 3fece92c479e94610d82c590530af616  mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 c3d98ddbedac750bf27eec165c5b5902  mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 3275d942a0be02ca5c5810e181dcd518  mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 9b75bc3f9437bd461e8ad8e057be1f39  mes5/i586/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm 
 797d5d4a98b15d89a16b60b13a9782fc  mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 64262442694df3a279c20ff7fbcc2588  mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 f638482001851e8356435b9cdca935d8  mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 f8039806879ebd5dc67b3bf5640b82a5  mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 3f746817849822daf1271b5357d5fe84  mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 ea74bb4cd9bb9734ffd16f30fe77fb0d  mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 1a21b438502b53ce5121608a2e95450e  mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm 
 797d5d4a98b15d89a16b60b13a9782fc  mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFN23yjmqjQ0CJFipgRAofTAKCbzecv2sfr6Sed19e3ToSx9i6gtQCgg6/B
10VNAxDouhTji/NBIie0PVc=
=6jGs
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ