lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1REmSG-0002CW-Fi@titan.mandriva.com>
Date: Fri, 14 Oct 2011 20:26:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:149 ] cyrus-imapd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:149
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : cyrus-imapd
 Date    : October 14, 2011
 Affected: 2009.0, 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 cyrus-imapd:
 
 Stack-based buffer overflow in the split_wildmats function in nntpd.c
 in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11
 allows remote attackers to execute arbitrary code via a crafted NNTP
 command (CVE-2011-3208).
 
 Secunia Research has discovered a vulnerability in Cyrus IMAPd,
 which can be exploited by malicious people to bypass certain security
 restrictions. The vulnerability is caused due to an error within the
 authentication mechanism of the NNTP server, which can be exploited
 to bypass the authentication process and execute commands intended
 for authenticated users by sending an AUTHINFO USER command without
 a following AUTHINFO PASS command (CVE-2011-3372).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 54e4d920a1dc6961449fe92a21d70aea  2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 b027ab6d3826bb90f3efeeaf9f0cfd38  2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 e12bf8783bfdabd829527b7a9a98ab91  2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 83a6a642fbeedc4d5f0adc5719a0080c  2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 2f893ebd6b25ed7f91af9d139e3cdf67  2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 aa73b1fc08697d507a1b498dac9fc9d3  2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.i586.rpm 
 a41a72745a688b0949ae18f726a4a899  2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ddd19215cbb8d0f739ab3eac2ed9195b  2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 835254b0b18a7a31deabf3dafb25c505  2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 a4140740defa18ad54124b59ac5ced08  2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 f175718d4f8c935eaea646aacfb87fd2  2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 8abf84c4ae32460ce1b9fa540c0e8e1f  2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 d42f6a2dda95ff5f7e78a7d2ddc63634  2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm 
 a41a72745a688b0949ae18f726a4a899  2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 b2510223c771d01a0a43c07f42cb0be6  2010.1/i586/cyrus-imapd-2.3.15-10.3mdv2010.2.i586.rpm
 ff5eaf5369620b878391c031833e869a  2010.1/i586/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.i586.rpm
 b9beb4b0160a2eda64fafb1bd2cd5dcb  2010.1/i586/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.i586.rpm
 646c64b84804113026d7fbee610623de  2010.1/i586/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.i586.rpm
 7e0d6868b3383fd9982e93c8f5daf34d  2010.1/i586/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.i586.rpm
 b0d952ba0fa0bd49a3f7d66dfd0d20ab  2010.1/i586/perl-Cyrus-2.3.15-10.3mdv2010.2.i586.rpm 
 91f58a4c94abbe71004c81d22d1dd954  2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 d0c07cb3c99c41c97e185074b3e5f68b  2010.1/x86_64/cyrus-imapd-2.3.15-10.3mdv2010.2.x86_64.rpm
 30a9fc8ee330a3d148cf30fa0c068695  2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.x86_64.rpm
 9e9b90b86fc365b7714c07d19f6211f1  2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.x86_64.rpm
 a3f454c4bc8b9d49fc285a2f258c5641  2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.x86_64.rpm
 c27bc4046e4edb82d5ef0afb30b1fb19  2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.x86_64.rpm
 be0dbebb632f2e054465cdeda28edbf7  2010.1/x86_64/perl-Cyrus-2.3.15-10.3mdv2010.2.x86_64.rpm 
 91f58a4c94abbe71004c81d22d1dd954  2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm

 Mandriva Linux 2011:
 ebe69cb95fb6874413e4fa97648d6cad  2011/i586/cyrus-imapd-2.3.16-7.1-mdv2011.0.i586.rpm
 cd7fbd790cb66ecd639bf8b128668cac  2011/i586/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.i586.rpm
 eb78400f64696546133b277556047d2b  2011/i586/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.i586.rpm
 e88682e14a537ac865af12bb6d804724  2011/i586/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.i586.rpm
 e4677ac6a793215bb72ad163dcae1774  2011/i586/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.i586.rpm
 8276f4a486bbbadbb5423c26b4adf0d6  2011/i586/perl-Cyrus-2.3.16-7.1-mdv2011.0.i586.rpm 
 6438fb0d0c9545c3c773598875e6e0f6  2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm

 Mandriva Linux 2011/X86_64:
 ce0c97c28bc8a6b6f388530d92e5b33e  2011/x86_64/cyrus-imapd-2.3.16-7.1-mdv2011.0.x86_64.rpm
 61457b6448ec7faf3943ac4b87bb0482  2011/x86_64/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.x86_64.rpm
 e86a7e251cb50d53c86c4ae2b016ecf1  2011/x86_64/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.x86_64.rpm
 1a95f9257bb366be1da897af9ed4a495  2011/x86_64/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.x86_64.rpm
 2f72036afd5b32e8fcce130340334cd9  2011/x86_64/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.x86_64.rpm
 2dddd70d1c8df83d30abea15895a02fa  2011/x86_64/perl-Cyrus-2.3.16-7.1-mdv2011.0.x86_64.rpm 
 6438fb0d0c9545c3c773598875e6e0f6  2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm

 Mandriva Enterprise Server 5:
 c7fd893f177ccdb0e1bc965ef2a03dc6  mes5/i586/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 e503472475bc013c4c7cc243bcac541b  mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 33fcfe50614189975eb5ee5d3a65f908  mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 100ece0aadd61e09963e6d72ac9b5fb2  mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 032bd3b1c4e554676db6ecbc9063a9c9  mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 9387c22cbe5a1fa40dae1cb9a502b286  mes5/i586/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 
 57e222015b6d051ab5246d1deed73804  mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 1d809a8f695f1b8fbc407af0dc216ca0  mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 b9bf166cfe741ae746674d05c3d6ad3a  mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 3739c923a3b3d0fccc598d468eaa2048  mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 5971440e8872b5a820c2fc6e9c151b06  mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 d0d378499795a0a5aefabf6ea321f064  mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 2dc5d80a0c361b2a9216c5368cf2bed9  mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm 
 57e222015b6d051ab5246d1deed73804  mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOmE+AmqjQ0CJFipgRAiXpAKCCOKU1/pAsFHn6o4QvJ0qiNHUKcACfQ8sa
4njgAqVphfco+jXlw4YnOS0=
=TTn/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ