OpenSuSE has issued an advisory today (September 24): http://lists.opensuse.org/opensuse-updates/2015-09/msg00038.html The issue is fixed in 2.4.18. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
It currently doesn't build with our patches
Status: NEW => ASSIGNED
This bug has been resolved by upgrading to vers. 2.4.18 (and a ton of other bugs). I also removed the very old cyrus-imapd-2.4.12-autosieve-0.6.0.patch because the package didn't build anymore with this very old patch. Neither Fedora nor Opensuse are using it. I will test the update when it is on the mirrors. The following packages are now in update_testing: cyrus-imapd-2.4.18-1.mga5.src.rpm cyrus-imapd-2.4.18-1.mga5.x86_64.rpm cyrus-imapd-murder-2.4.18-1.mga5.x86_64.rpm cyrus-imapd-nntp-2.4.18-1.mga5.x86_64.rpm cyrus-imapd-devel-2.4.18-1.mga5.x86_64.rpm perl-Cyrus-2.4.18-1.mga5.x86_64.rpm cyrus-imapd-utils-2.4.18-1.mga5.x86_64.rpm cyrus-imapd-debuginfo-2.4.18-1.mga5.x86_64.rpm and relevant i586 packages.
Assignee: thomas => qa-bugs
Thanks Thomas, could you also fix it in cauldron?
Actually pkgsubmit shows that Cauldron was updated to 2.4.18 and mga5 just re-pushed the release version back to the build system. SVN doesn't show an update in Mageia 5 either. Thomas, please commit to the Mageia 5 branch and resubmit.
CC: (none) => qa-bugsVersion: Cauldron => 5Assignee: qa-bugs => thomasWhiteboard: MGA5TOO => (none)
Why, I must have submitted the wrong local copy. But why did it take it? I apologize.
(In reply to Thomas Spuhler from comment #5) > Why, I must have submitted the wrong local copy. But why did it take it? > I apologize. What happened was you didn't commit anything to SVN, so when you submitted it it just built the release version. The build system unfortunately will allow to rebuild in updates_testing the same version that's in release or last in updates. This is a bug that would be nice to fix in the build system.
I actually did commit it, but I checked out from cauldron instead of mga5 (forgot to add 5/ when checking out and not noticing) It should be fixed now.
CC: qa-bugs => thomas
Advisory: ======================== Updated cyrus-imapd packages fix security vulnerability: The cyrus-imapd package has been updated to version 2.4.18, fixing a security issue with a urlfetch range starting outside the message range, as well as several other bugs. See the upstream release announcement for details. References: https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00038.html
just for your info, I have the updates in testing installed on my own server and so far no errors.
(In reply to Thomas Spuhler from comment #9) > just for your info, I have the updates in testing installed on my own server > and so far no errors. Feel free to put the appropriate OK tag on the whiteboard for your architecture. Thanks.
CVE request: http://openwall.com/lists/oss-security/2015/09/29/2
Whiteboard: (none) => x86_64 OK
Whiteboard: x86_64 OK => MGA5-64-OK
Testing complete mga5 32 Aside from a warning about postfix user, basic testing ok. warning: group postfix does not exist - using root # warning: %post(cyrus-imapd-2.4.18-1.mga5.i586) scriptlet failed, exit status 1 ERROR: 'script' failed for cyrus-imapd-2.4.18-1.mga5 # systemctl start cyrus-imapd.service # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] laptop Cyrus IMAP v2.4.18-Mageia-RPM-2.4.18-1.mga5 server ready ^] telnet> quit Connection closed.
Whiteboard: MGA5-64-OK => MGA5-64-OK mga5-32-ok
Whiteboard: MGA5-64-OK mga5-32-ok => has_procedure MGA5-64-OK mga5-32-ok
I wish rpm gave more feedback on scriplet failures so that you could see where it fails. The %post for this package is rather large. Claire, do you see "2.4.18" in /var/lib/imap/rpm/version ? As for the postfix warning, the top section of the package needs: %if %{PREFORK} Requires: postfix %endif
Yup :) # cat /var/lib/imap/rpm/version 2.4.18 If it's an easy fix for the user we may as well make that change.
(In reply to claire robinson from comment #14) > Yup :) > > # cat /var/lib/imap/rpm/version > 2.4.18 Thanks. I think the ERROR for the script you saw is because the service is disabled, in which case it's a known systemd bug in mga5. > If it's an easy fix for the user we may as well make that change. Yup.
Postfix is not installed btw if that helps to track it down.
(In reply to David Walser from comment #15) > (In reply to claire robinson from comment #14) > > Yup :) > > > > # cat /var/lib/imap/rpm/version > > 2.4.18 > > Thanks. I think the ERROR for the script you saw is because the service is > disabled, in which case it's a known systemd bug in mga5. > > > If it's an easy fix for the user we may as well make that change. > > Yup. I didn't see any errors during the upgrade (in mga5).
(In reply to Thomas Spuhler from comment #17) > I didn't see any errors during the upgrade (in mga5). Because you already have postfix installed (and you have the cyrus imapd service enabled).
I wonder if it's worth to take chances. If someone has cyrus-imapd installed he very likely is using (enabled) it.
(In reply to Thomas Spuhler from comment #19) > I wonder if it's worth to take chances. If someone has cyrus-imapd installed > he very likely is using (enabled) it. Yes, that part's not an issue. What is an issue, is if the /var/spool/postfix/extern/cyrus needs to be owned by the postfix group, it won't be unless postfix is installed.
That's a good point. Are we have any other MTA besides postfix that could be affected?
(In reply to Thomas Spuhler from comment #21) > That's a good point. Are we have any other MTA besides postfix that could be > affected? Only postfix provides the postfix user, and it appears that this file is only relevant for postfix.
Although this raises an interesting issue. postfix would conflict with sendmail, so if postfix is required, you can't use cyrus with sendmail. Perhaps that file should be moved to a subpackage that requires postfix and is recommended by cyrus-imapd.
Adding feedback marker for now. If it needs alot of work then we may have to push as-is and issue a separate update.
Whiteboard: has_procedure MGA5-64-OK mga5-32-ok => has_procedure feedback MGA5-64-OK mga5-32-ok
Any movement on this one or shall we push?
I talked to Thomas on IRC an hour and a half ago (about). Let's push this for now. It's still not clear what to do about this issue long-term (if anything).
I went back for quite some changelogs and yes, we added postfix as a requirement, but the requirements to have it are much, much older and I haven't seen a bug report or complaint about it. I guess they just installed postfix. There is no reasons not to use an MTA with cyrus-imapd. It would work the other way round, using an other imap server with the MTA. This may be forcing the issue, <is sendmail> still used?
(In reply to Thomas Spuhler from comment #27) > This may be forcing the issue, <is sendmail> still used? I proposed dropping the sendmail package before Mageia 5 was released and was asked to keep it, so I guess someone still uses it. Whether they use it with cyrus, I have no idea.
Whiteboard: has_procedure feedback MGA5-64-OK mga5-32-ok => has_procedure MGA5-64-OK mga5-32-ok
Validating. Advisory to upload.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK mga5-32-ok => has_procedure advisory MGA5-64-OK mga5-32-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0401.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CVE-2015-8076, CVE-2015-8077, CVE-2015-8078 allocated for this: http://openwall.com/lists/oss-security/2015/11/04/3
Summary: cyrus-imapd new security issue fixed upstream in 2.4.18 => cyrus-imapd new security issue fixed upstream in 2.4.18 (CVE-2015-807[6-8])
Actually, CVE-2015-8076 was fixed in 2.4.18. Additional fixes are needed for the other two. Opening a new bug.
Summary: cyrus-imapd new security issue fixed upstream in 2.4.18 (CVE-2015-807[6-8]) => cyrus-imapd new security issue fixed upstream in 2.4.18 (CVE-2015-8076)