https://linuxsecurity.com/advisories/debian/debian-dsa-4590-1-cyrus-imapd-security-update-17-54-18
CVE: (none) => CVE-2019-19783Component: RPM Packages => Security
Thank you for the notification. Checked -ve for duplicate of the CVE. No registered maintainer => assign globally; another CC for DavidG as recent committer.
CC: (none) => geiger.david68210Assignee: bugsquad => pkg-bugsSource RPM: cyrus-imapd => cyrus-imapd-2.5.11-7.1.mga7.src.rpmQA Contact: (none) => security
Actual link to the Debian advisory from December 19: https://www.debian.org/security/2019/dsa-4590 The issue is fixed upstream in 2.5.15.
Whiteboard: (none) => MGA7TOOVersion: 7 => CauldronSummary: DSA-4590-1: cyrus-imapd security update CVE-2019-19783 => cyrus-imapd new security issue CVE-2019-19783
Done for both Cauldron and mga7!
Advisory: ======================== Updated cyrus-imapd packages fix security vulnerability: It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks (CVE-2019-19783). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19783 https://www.debian.org/security/2019/dsa-4590 ======================== Updated packages in core/updates_testing: ======================== cyrus-imapd-2.5.15-1.mga7 libcyrus-imapd0-2.5.15-1.mga7 libcyrus-imapd-devel-2.5.15-1.mga7 perl-Cyrus-2.5.15-1.mga7 from cyrus-imapd-2.5.15-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: pkg-bugs => qa-bugs
Fedora has issued an advisory on December 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/ This fixes a new security issue. The issue is fixed upstream in 2.5.14.
Severity: normal => majorSummary: cyrus-imapd new security issue CVE-2019-19783 => cyrus-imapd new security issues CVE-2019-18928 and CVE-2019-19783CVE: CVE-2019-19783 => CVE-2019-18928, CVE-2019-19783
Advisory: ======================== Updated cyrus-imapd packages fix security vulnerability: It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks (CVE-2019-19783). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18929 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19783 https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.12.html https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/ https://www.debian.org/security/2019/dsa-4590
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 25134 for testing First installed postfix to get the postfix group then # systemctl start cyrus-imapd.service # systemctl -l status cyrus-imapd.service ● cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-01-03 14:28:25 CET; 13s ago Process: 17721 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS) Main PID: 17785 (cyrus-master) Memory: 36.2M CGroup: /system.slice/cyrus-imapd.service ├─17785 /usr/lib/cyrus-imapd/cyrus-master ├─17791 idled ├─17793 imapd ├─17794 imapd ├─17795 imapd ├─17796 imapd ├─17797 imapd ├─17798 imapd -s ├─17799 pop3d ├─17800 pop3d ├─17801 pop3d ├─17802 pop3d -s ├─17803 lmtpd ├─17804 imapd ├─17805 imapd ├─17806 imapd ├─17807 imapd ├─17808 imapd ├─17809 imapd -s ├─17810 pop3d ├─17811 pop3d ├─17812 pop3d └─17813 pop3d -s jan 03 14:28:25 mach5.hviaene.thuis su[17727]: (to cyrus) root on none jan 03 14:28:25 mach5.hviaene.thuis su[17727]: pam_unix(su:session): session opened for user cyrus by (uid=0) jan 03 14:28:25 mach5.hviaene.thuis su[17727]: pam_unix(su:session): session closed for user cyrus jan 03 14:28:25 mach5.hviaene.thuis systemd[1]: Started Cyrus-imapd IMAP/POP3 email server. jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17788]: skiplist: clean shutdown file missing, updating recovery stamp jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17788]: recovering cyrus databases jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17788]: done recovering cyrus databases jan 03 14:28:25 mach5.hviaene.thuis master[17785]: unable to setsocketopt(IP_TOS) service lmtpunix/unix: Operation not supported jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17792]: checkpointing cyrus databases jan 03 14:28:25 mach5.hviaene.thuis ctl_cyrusdb[17792]: done checkpointing cyrus databases and $ telnet localhost 143 Trying ::1... Connected to localhost (::1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] mach5.hviaene.thuis Cyrus IMAP 2.5.15-Kolab-2.5.15-1.mga7 server ready ^] telnet> quit Connection closed. Seems OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0010.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED