Bug 12770

Summary: imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ennael1, geiger.david68210, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/586321/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
Source RPM: imapsync-1.456-4.mga4.src.rpm CVE:
Status comment:
Attachments: data to be migrated using imapsync
script to migrate data using imapsync

Description David Walser 2014-02-14 18:39:16 CET 
Fedora has issued an advisory today (February 14):
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html

The issue is fixed upstream in 1.584.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-14 18:39:32 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-18 16:55:25 CET 
This has been assigned CVE-2014-2014:
http://openwall.com/lists/oss-security/2014/02/18/5

Summary: imapsync new security issue fixed upstream in 1.584 => imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)

Comment 2 David Walser 2014-02-24 17:41:48 CET 
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

In imapsync before 1.584, a certificate verification failure when using the
--tls option results in imapsync attempting a cleartext login (CVE-2014-2014).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2014
http://openwall.com/lists/oss-security/2014/02/18/5
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.mga3
imapsync-1.584-1.mga4

from SRPMS:
imapsync-1.584-1.mga3.src.rpm
imapsync-1.584-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: luis.daniel.lucio => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Anne Nicolas 2014-02-26 10:23:23 CET 
A quick test for imapsync from upstream project.
Copy sync_loop_unix.sh and file.txt in same directory and run:

sh sync_loop_unix.sh

It should create a directoru called LOG with all migrated data

CC: (none) => ennael1

Comment 4 Anne Nicolas 2014-02-26 10:24:11 CET 
Created attachment 5011 [details]
data to be migrated using imapsync
Comment 5 Anne Nicolas 2014-02-26 10:24:45 CET 
Created attachment 5012 [details]
script to migrate data using imapsync
Comment 6 Anne Nicolas 2014-02-26 10:31:42 CET 
I've used script and data at home on my own imap server using an existing user. Works here as expected on Mageia 4 64
Anne Nicolas 2014-02-26 10:31:53 CET

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 7 David GEIGER 2014-02-26 19:45:28 CET 
Tested mag4_32,

Testing complete for imapsync-1.584-1.mga4, Ok for me.

Use Anne's script and procedure on comment 3.

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 8 claire robinson 2014-02-27 16:32:40 CET 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok

Comment 9 claire robinson 2014-02-27 18:24:52 CET 
Testing complete mga3 32

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-02-27 23:15:10 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0106.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED