OpenSuSE has issued an advisory on November 27: http://lists.opensuse.org/opensuse-updates/2015-11/msg00156.html They added patches in this diff: https://build.opensuse.org/package/rdiff/openSUSE:13.2:Update/cyrus-imapd?linkrev=base&rev=3 The CVE assignment also links upstream fixes: http://openwall.com/lists/oss-security/2015/11/04/3 Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/666133/
The descriptions sound a little confusing. I am going to wait what Fedora is going to do.
Status: NEW => ASSIGNED
It's just two patches from upstream. They were committed after the 2.4.18 release, which is why we missed them in the last update.
this bug has now been resolved by applying patch 2.3.18-potential-overflow from Fedora. Suse has 2 patches but they are confusing. The following rpm's are now in mga5 updates_testing: cyrus-imapd-2.4.18-1.1.mga5.src.rpm cyrus-imapd-2.4.18-1.1.mga5.x86_64.rpm cyrus-imapd-murder-2.4.18-1.1.mga5.x86_64.rpm cyrus-imapd-nntp-2.4.18-1.1.mga5.x86_64.rpm cyrus-imapd-devel-2.4.18-1.1.mga5.x86_64.rpm perl-Cyrus-2.4.18-1.1.mga5.x86_64.rpm cyrus-imapd-utils-2.4.18-1.1.mga5.x86_64.rpm cyrus-imapd-debuginfo-2.4.18-1.1.mga5.x86_64.rpm and corresponding i586 packages
CC: (none) => thomasAssignee: thomas => qa-bugs
I don't see anything "confusing" about the patches OpenSuSE used, as they look exactly the same as the upstream commits to fix these issues. The Fedora patch is completely different and addresses an unrelated issue. Please add the correct patches.
CC: (none) => qa-bugsAssignee: qa-bugs => thomas
Patched packages uploaded for Mageia 5 and Cauldron (pending stuck build system). Advisory: ======================== Updated cyrus-imapd packages fix security vulnerabilities: Cyrus-imapd versions 2.4.18 and earlier are vulnerable to potential integer and buffer overflows (CVE-2015-8077, CVE-2015-8078). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8078 http://lists.opensuse.org/opensuse-updates/2015-11/msg00156.html ======================== Updated packages in core/updates_testing: ======================== cyrus-imapd-2.4.18-1.2.mga5 cyrus-imapd-murder-2.4.18-1.2.mga5 cyrus-imapd-nntp-2.4.18-1.2.mga5 cyrus-imapd-devel-2.4.18-1.2.mga5 perl-Cyrus-2.4.18-1.2.mga5 cyrus-imapd-utils-2.4.18-1.2.mga5 from cyrus-imapd-2.4.18-1.2.mga5.src.rpm
CC: qa-bugs => (none)Assignee: thomas => qa-bugs
MGA5-32 Xfce on Acer D620 No installation issues. Tried test as per bug16823, got following at CLI: # systemctl start cyrus-imapd.service no feedback # systemctl -l status cyrus-imapd.service â cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; enabled) Active: active (running) since wo 2016-01-13 10:52:32 CET; 50min ago Process: 23580 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS) Main PID: 23631 (cyrus-master) CGroup: /system.slice/cyrus-imapd.service ââ23631 /usr/lib/cyrus-imapd/cyrus-master ââ23645 idled ââ23647 imapd ââ23648 imapd -s ââ23649 pop3d ââ23650 pop3d -s ââ23651 lmtpd ââ23652 notifyd ââ23654 imapd ââ23655 pop3d ââ23656 imapd ââ23657 pop3d ââ23659 imapd ââ23661 imapd ââ32736 n/a jan 13 11:43:15 mach6.hviaene.thuis ptloader[334]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[334]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 334 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[335]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[335]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 335 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[336]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[336]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 336 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[337]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[337]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 337 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[338]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[338]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 338 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[339]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[339]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 339 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[340]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[340]: PTS module afskrb not supported jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 340 in READY state: terminated abnormally jan 13 11:43:15 mach6.hviaene.thuis ptloader[341]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $ jan 13 11:43:15 mach6.hviaene.thuis ptloader[341]: PTS module afskrb not supported Tried to continue # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. * BAD Error in IMAP command received by server. * BAD Error in IMAP command received by server. * BYE Too many invalid IMAP commands. Connection closed by foreign host. On further reading bug16823, I got the impression this is somehow dependent on postfix, but this one is not installed here. If the dependency is real, why is it not handled properly in the rpm???
CC: (none) => herman.viaene
It's only dependent on postfix if you use it with postfix. It can be used with any MTA (like sendmail for instance).
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing M5 x64 (with PostFix already installed in the light of Comment 7; the implication is that *an* MTA needs to be installed beforehand). Installed issued: cyrus-imapd-2.4.18-1.mga5 cyrus-imapd-murder-2.4.18-1.mga5 cyrus-imapd-nntp-2.4.18-1.mga5 cyrus-imapd-utils-2.4.18-1.mga5 perl-Cyrus-2.4.18-1.mga5 (plus telnet server & client for testing it). Running the given mini-test: BEFORE update: # systemctl start cyrus-imapd.service # systemctl -l status cyrus-imapd.service â cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; enabled) Active: active (running) since Maw 2016-02-02 21:07:39 CET; 12s ago Process: 14529 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS) Main PID: 14579 (cyrus-master) CGroup: /system.slice/cyrus-imapd.service ââ14579 /usr/lib/cyrus-imapd/cyrus-master [etc as per Comment 6]. # telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] localhost.localdomain Cyrus IMAP v2.4.18-Mageia-RPM-2.4.18-1.mga5 server ready ^] telnet> quit Connection closed. AFTER smooth update to: cyrus-imapd-2.4.18-1.2.mga5 cyrus-imapd-murder-2.4.18-1.2.mga5 cyrus-imapd-nntp-2.4.18-1.2.mga5 cyrus-imapd-utils-2.4.18-1.2.mga5 perl-Cyrus-2.4.18-1.2.mga5 # systemctl stop cyrus-imapd.service # systemctl start cyrus-imapd.service then behaviour identical to previously. So this update deemed OK.
CC: (none) => lewyssmithWhiteboard: advisory => advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0045.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED