Bug 12770 - imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)
: imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/586321/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-14 18:39 CET by David Walser
Modified: 2014-02-27 23:15 CET (History)
4 users (show)

See Also:
Source RPM: imapsync-1.456-4.mga4.src.rpm
CVE:


Attachments
data to be migrated using imapsync (569 bytes, text/plain)
2014-02-26 10:24 CET, Anne Nicolas
Details
script to migrate data using imapsync (1.12 KB, application/x-shellscript)
2014-02-26 10:24 CET, Anne Nicolas
Details

Description David Walser 2014-02-14 18:39:16 CET
Fedora has issued an advisory today (February 14):
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html

The issue is fixed upstream in 1.584.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-18 16:55:25 CET
This has been assigned CVE-2014-2014:
http://openwall.com/lists/oss-security/2014/02/18/5
Comment 2 David Walser 2014-02-24 17:41:48 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

In imapsync before 1.584, a certificate verification failure when using the
--tls option results in imapsync attempting a cleartext login (CVE-2014-2014).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2014
http://openwall.com/lists/oss-security/2014/02/18/5
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.mga3
imapsync-1.584-1.mga4

from SRPMS:
imapsync-1.584-1.mga3.src.rpm
imapsync-1.584-1.mga4.src.rpm
Comment 3 Anne Nicolas 2014-02-26 10:23:23 CET
A quick test for imapsync from upstream project.
Copy sync_loop_unix.sh and file.txt in same directory and run:

sh sync_loop_unix.sh

It should create a directoru called LOG with all migrated data
Comment 4 Anne Nicolas 2014-02-26 10:24:11 CET
Created attachment 5011 [details]
data to be migrated using imapsync
Comment 5 Anne Nicolas 2014-02-26 10:24:45 CET
Created attachment 5012 [details]
script to migrate data using imapsync
Comment 6 Anne Nicolas 2014-02-26 10:31:42 CET
I've used script and data at home on my own imap server using an existing user. Works here as expected on Mageia 4 64
Comment 7 David GEIGER 2014-02-26 19:45:28 CET
Tested mag4_32,

Testing complete for imapsync-1.584-1.mga4, Ok for me.

Use Anne's script and procedure on comment 3.
Comment 8 claire robinson 2014-02-27 16:32:40 CET
Testing complete mga3 64
Comment 9 claire robinson 2014-02-27 18:24:52 CET
Testing complete mga3 32

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 10 Thomas Backlund 2014-02-27 23:15:10 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0106.html

Note You need to log in before you can comment on or make changes to this bug.