Bug 3955 - cyrus-imapd missing security update for CVE-2011-1926, CVE-2011-3208, and CVE-2011-3372
Summary: cyrus-imapd missing security update for CVE-2011-1926, CVE-2011-3208, and CVE...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2011-12-30 23:12 CET by David Walser
Modified: 2012-01-21 18:24 CET (History)
4 users (show)

See Also:
Source RPM: cyrus-imapd-2.3.16-4.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2011-12-30 23:12:48 CET
Mandriva issued this advisory on October 14:
http://lists.mandriva.com/security-announce/2011-10/msg00024.php

The Cauldron version is also vulnerable, but upgrading it to a newer version (like 2.3.18 or the newest 2.4.x) would be sufficient to address these.
Comment 1 Manuel Hiebel 2011-12-31 00:04:00 CET
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => thomas

Comment 2 David Walser 2012-01-01 19:14:38 CET
Also an advisory from Mandriva on May 24:
http://lists.mandriva.com/security-announce/2011-05/msg00025.php

This one requires a patch or update to 2.4.7 or newer.

Summary: cyrus-imapd missing security update for CVE-2011-3208 and CVE-2011-3372 => cyrus-imapd missing security update for CVE-2011-1926, CVE-2011-3208, and CVE-2011-3372

Comment 3 Thomas Spuhler 2012-01-02 02:24:26 CET
OK, I'll work on it

Status: NEW => ASSIGNED

Comment 4 Thomas Spuhler 2012-01-02 17:44:49 CET
it's in updates testing.
FYI cyrus-imapd-2.3.15-CVE-2011-1926.diff seems to be applied to our mga1 (we have 2.3.16)
Comment 5 Manuel Hiebel 2012-01-02 21:42:57 CET
Thanks so we can reassign to the QA.

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 6 Dave Hodgins 2012-01-09 03:02:09 CET
Testing complete on i586 for the srpm
cyrus-imapd-2.3.16-4.1.mga1.src.rpm

No poc, so just testing that the server works.
Test done using opera to access my imap folders on localhost.

CC: (none) => davidwhodgins

Comment 7 claire robinson 2012-01-16 13:40:08 CET
Tested x86_64 using cyradm from cyrus-impad-utils

Added an admin user in /etc/imapd.conf an restarted cyrus-imapd

used cyradm localhost as the admin user and tested with various commands, (cm lq sq lam lm ver), commands found using 'help'.

Update validated.

Thomas you never supplied an advisory, are fixes included for both comment 0 and comment 2?
Comment 8 David Walser 2012-01-16 16:23:59 CET
Thomas noted that the CVE from Comment 2 is already fixed in the version we have in Comment 4.
Comment 9 David Walser 2012-01-16 16:28:49 CET
Advisory:
========================

Updated cyrus-imapd package fixes security vulnerabilities:

Stack-based buffer overflow in the split_wildmats function in nntpd.c
in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11
allows remote attackers to execute arbitrary code via a crafted NNTP
command (CVE-2011-3208).

Secunia Research has discovered a vulnerability in Cyrus IMAPd,
which can be exploited by malicious people to bypass certain security
restrictions. The vulnerability is caused due to an error within the
authentication mechanism of the NNTP server, which can be exploited
to bypass the authentication process and execute commands intended
for authenticated users by sending an AUTHINFO USER command without
a following AUTHINFO PASS command (CVE-2011-3372).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:149
========================

Updated packages in core/updates_testing:
========================
cyrus-imapd-2.3.16-4.1.mga1.i586.rpm
cyrus-imapd-devel-2.3.16-4.1.mga1.i586.rpm
cyrus-imapd-murder-2.3.16-4.1.mga1.i586.rpm
cyrus-imapd-nntp-2.3.16-4.1.mga1.i586.rpm
cyrus-imapd-utils-2.3.16-4.1.mga1.i586.rpm
perl-Cyrus-2.3.16-4.1.mga1.i586.rpm

from cyrus-imapd-2.3.16-4.1.mga1.src.rpm
========================

Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Keywords: Triaged => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 10 claire robinson 2012-01-16 17:06:47 CET
I must have missed that, thankyou for interpreting.
Comment 11 Thomas Backlund 2012-01-21 18:24:17 CET
update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.