Bug 12985 - imapsync new security issue CVE-2013-4279
: imapsync new security issue CVE-2013-4279
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590190/
: MGA3TOO has_procedure advisory MGA3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-10 17:04 CET by David Walser
Modified: 2014-03-12 17:33 CET (History)
3 users (show)

See Also:
Source RPM: imapsync-1.584-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-03-10 17:04:37 CET
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html

It disables a feature where it phones home checking for newer versions available causing information leakage about the system on which it's being executed.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated imapsync package fixes security vulnerability:

Imapsync, by default, runs a "release check" when executed, which causes
imapsync to connect to http://imapsync.lamiral.info and send information
about the version of imapsync, the operating system and perl (CVE-2013-4279).

The imapsync package has been patched to disable this feature.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4279
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129687.html
========================

Updated packages in core/updates_testing:
========================
imapsync-1.584-1.1.mga3
imapsync-1.584-1.1.mga4

from SRPMS:
imapsync-1.584-1.1.mga3.src.rpm
imapsync-1.584-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Marc Lattemann 2014-03-10 20:11:05 CET
after installation of imapsync and simple run of imapsync wihtout any options iftop shows:
MGA3_32bit => ks.lamiral.info 0b  0b 83b

after update iptop does not show this network connection anymore

successfully tested on mga3 32bit
Comment 2 Marc Lattemann 2014-03-10 20:26:03 CET
updates with same procedure successfully tested for 
mag3 64bit
mga4 32bit
mga4 64bit

after advisory from Comment #0 is uploaded updates can be moved to core_updates.
Comment 3 claire robinson 2014-03-11 14:53:03 CET
Well done Marc, you're back in the groove!

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 4 Thomas Backlund 2014-03-12 17:33:18 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0127.html

Note You need to log in before you can comment on or make changes to this bug.