Bug 12985 - imapsync new security issue CVE-2013-4279
Summary: imapsync new security issue CVE-2013-4279
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/590190/
Whiteboard: MGA3TOO has_procedure advisory MGA3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-10 17:04 CET by David Walser
Modified: 2014-03-12 17:33 CET (History)
3 users (show)

See Also:
Source RPM: imapsync-1.584-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-10 17:04:37 CET
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html

It disables a feature where it phones home checking for newer versions available causing information leakage about the system on which it's being executed.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

Imapsync, by default, runs a "release check" when executed, which causes
imapsync to connect to http://imapsync.lamiral.info and send information
about the version of imapsync, the operating system and perl (CVE-2013-4279).

The imapsync package has been patched to disable this feature.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4279
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.1.mga3
imapsync-1.584-1.1.mga4

from SRPMS:
imapsync-1.584-1.1.mga3.src.rpm
imapsync-1.584-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Marc Lattemann 2014-03-10 20:11:05 CET
after installation of imapsync and simple run of imapsync wihtout any options iftop shows:
MGA3_32bit => ks.lamiral.info 0b  0b 83b

after update iptop does not show this network connection anymore

successfully tested on mga3 32bit
Comment 2 Marc Lattemann 2014-03-10 20:26:03 CET
updates with same procedure successfully tested for 
mag3 64bit
mga4 32bit
mga4 64bit

after advisory from Comment #0 is uploaded updates can be moved to core_updates.
Comment 3 claire robinson 2014-03-11 14:53:03 CET
Well done Marc, you're back in the groove!

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 4 Thomas Backlund 2014-03-12 17:33:18 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0127.html

Note You need to log in before you can comment on or make changes to this bug.