Bug 12770 - imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)
Summary: imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/586321/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-02-14 18:39 CET by David Walser
Modified: 2014-02-27 23:15 CET (History)
4 users (show)

See Also:
Source RPM: imapsync-1.456-4.mga4.src.rpm
CVE:
Status comment:


Attachments
data to be migrated using imapsync (569 bytes, text/plain)
2014-02-26 10:24 CET, Anne Nicolas
Details
script to migrate data using imapsync (1.12 KB, application/x-shellscript)
2014-02-26 10:24 CET, Anne Nicolas
Details

Description David Walser 2014-02-14 18:39:16 CET
Fedora has issued an advisory today (February 14):
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html

The issue is fixed upstream in 1.584.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-14 18:39:32 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-18 16:55:25 CET
This has been assigned CVE-2014-2014:
http://openwall.com/lists/oss-security/2014/02/18/5

Summary: imapsync new security issue fixed upstream in 1.584 => imapsync new security issue fixed upstream in 1.584 (CVE-2014-2014)

Comment 2 David Walser 2014-02-24 17:41:48 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

In imapsync before 1.584, a certificate verification failure when using the
--tls option results in imapsync attempting a cleartext login (CVE-2014-2014).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2014
http://openwall.com/lists/oss-security/2014/02/18/5
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.mga3
imapsync-1.584-1.mga4

from SRPMS:
imapsync-1.584-1.mga3.src.rpm
imapsync-1.584-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: luis.daniel.lucio => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Anne Nicolas 2014-02-26 10:23:23 CET
A quick test for imapsync from upstream project.
Copy sync_loop_unix.sh and file.txt in same directory and run:

sh sync_loop_unix.sh

It should create a directoru called LOG with all migrated data

CC: (none) => ennael1

Comment 4 Anne Nicolas 2014-02-26 10:24:11 CET
Created attachment 5011 [details]
data to be migrated using imapsync
Comment 5 Anne Nicolas 2014-02-26 10:24:45 CET
Created attachment 5012 [details]
script to migrate data using imapsync
Comment 6 Anne Nicolas 2014-02-26 10:31:42 CET
I've used script and data at home on my own imap server using an existing user. Works here as expected on Mageia 4 64
Anne Nicolas 2014-02-26 10:31:53 CET

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 7 David GEIGER 2014-02-26 19:45:28 CET
Tested mag4_32,

Testing complete for imapsync-1.584-1.mga4, Ok for me.

Use Anne's script and procedure on comment 3.

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 8 claire robinson 2014-02-27 16:32:40 CET
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok

Comment 9 claire robinson 2014-02-27 18:24:52 CET
Testing complete mga3 32

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-02-27 23:15:10 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0106.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.