Mandriva has issued this advisory today (March 23): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:037 Cauldron is not vulnerable.
Update built. Advisory: ======================== Updated cyrus-imapd packages fix security vulnerability: The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message (CVE-2011-3481). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3481 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:037 ======================== Updated packages in core/updates_testing: ======================== cyrus-imapd-2.3.16-4.2.mga1 cyrus-imapd-murder-2.3.16-4.2.mga1 cyrus-imapd-nntp-2.3.16-4.2.mga1 cyrus-imapd-devel-2.3.16-4.2.mga1 perl-Cyrus-2.3.16-4.2.mga1 cyrus-imapd-utils-2.3.16-4.2.mga1 from cyrus-imapd-2.3.16-4.2.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete on i586 for the srpm cyrus-imapd-2.3.16-4.2.mga1.src.rpm I use cyrus-imapd as part of a kolab setup. Testing getting/sending/deleting imap messages.
CC: (none) => davidwhodgins
Ping. We still need x86-64 testing for this security update.
# telnet localhost 143 Shows "Cyrus IMAP v2.3.16-Mandriva-RPM-2.3.16-4.2.mga1 server ready"
Set a password for cyrus # passwd cyrus Then used cyradm from cyrus-imapd-utils # cyradm --user cyrus --server localhost --auth plain localhost> info Server Wide: freespace: 3340932 localhost> cm test localhost> info test {test}: condstore: false duplicatedeliver: false lastpop: lastupdate: 20-Apr-2012 12:00:06 +0100 partition: default pop3newuidl: true sharedseen: false size: 0 localhost> ver name : Cyrus IMAPD version : v2.3.16-Mandriva-RPM-2.3.16-4.2.mga1 2009/12/21 13:09:10 vendor : Project Cyrus support-url: http://cyrusimap.web.cmu.edu os : Linux os-version : 2.6.38.8-desktop-10.mga environment: Built w/Cyrus SASL 2.1.23 Running w/Cyrus SASL 2.1.23 Built w/Berkeley DB 4.8.30: (March 25, 2011) Running w/Berkeley DB 4.8.30: (March 25, 2011) Built w/OpenSSL 1.0.0d 8 Feb 2011 Running w/OpenSSL 1.0.0d 8 Feb 2011 Built w/zlib 1.2.5 Running w/zlib 1.2.5 CMU Sieve 2.3 TCP Wrappers NET-SNMP mmap = shared lock = fcntl nonblock = fcntl idle = poll localhost> lm test (\HasNoChildren) localhost> lam test anyone lrs localhost> sam test cyrus c localhost> dm test localhost> disc cyradm> quit David, do you want to remove the Mandriva reference before this is pushed?
Thanks Claire! The Mandriva reference didn't even come from a patch, it was right in the SPEC file, and it hadn't been fixed in Cauldron either. I've fixed it in both places and rebuilt it. Mageia 1 updates_testing SRPM is now cyrus-imapd-2.3.16-4.3.mga1.
Retested x86_64 all Ok. Given the nature of the change I think we can validate. Advisory: ======================== Updated cyrus-imapd packages fix a security vulnerability and remove an old Mandriva reference: The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message (CVE-2011-3481). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3481 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:037 ======================== SRPM: cyrus-imapd-2.3.16-4.3.mga1 Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Testing complete on i586 for the srpm cyrus-imapd-2.3.16-4.3.mga1.src.rpm In addition to getting mail from the server, telnet to port 143 now shows Mageia.
Update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED