[Full-disclosure] [ MDVSA-2011:149 ] cyrus-imapd



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:149
http://www.mandriva.com/security/
_______________________________________________________________________

Package : cyrus-imapd
Date : October 14, 2011
Affected: 2009.0, 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
cyrus-imapd:

Stack-based buffer overflow in the split_wildmats function in nntpd.c
in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11
allows remote attackers to execute arbitrary code via a crafted NNTP
command (CVE-2011-3208).

Secunia Research has discovered a vulnerability in Cyrus IMAPd,
which can be exploited by malicious people to bypass certain security
restrictions. The vulnerability is caused due to an error within the
authentication mechanism of the NNTP server, which can be exploited
to bypass the authentication process and execute commands intended
for authenticated users by sending an AUTHINFO USER command without
a following AUTHINFO PASS command (CVE-2011-3372).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
54e4d920a1dc6961449fe92a21d70aea 2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
b027ab6d3826bb90f3efeeaf9f0cfd38 2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
e12bf8783bfdabd829527b7a9a98ab91 2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
83a6a642fbeedc4d5f0adc5719a0080c 2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
2f893ebd6b25ed7f91af9d139e3cdf67 2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
aa73b1fc08697d507a1b498dac9fc9d3 2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
a41a72745a688b0949ae18f726a4a899 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
ddd19215cbb8d0f739ab3eac2ed9195b 2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
835254b0b18a7a31deabf3dafb25c505 2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
a4140740defa18ad54124b59ac5ced08 2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
f175718d4f8c935eaea646aacfb87fd2 2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
8abf84c4ae32460ce1b9fa540c0e8e1f 2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
d42f6a2dda95ff5f7e78a7d2ddc63634 2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
a41a72745a688b0949ae18f726a4a899 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm

Mandriva Linux 2010.1:
b2510223c771d01a0a43c07f42cb0be6 2010.1/i586/cyrus-imapd-2.3.15-10.3mdv2010.2.i586.rpm
ff5eaf5369620b878391c031833e869a 2010.1/i586/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.i586.rpm
b9beb4b0160a2eda64fafb1bd2cd5dcb 2010.1/i586/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.i586.rpm
646c64b84804113026d7fbee610623de 2010.1/i586/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.i586.rpm
7e0d6868b3383fd9982e93c8f5daf34d 2010.1/i586/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.i586.rpm
b0d952ba0fa0bd49a3f7d66dfd0d20ab 2010.1/i586/perl-Cyrus-2.3.15-10.3mdv2010.2.i586.rpm
91f58a4c94abbe71004c81d22d1dd954 2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
d0c07cb3c99c41c97e185074b3e5f68b 2010.1/x86_64/cyrus-imapd-2.3.15-10.3mdv2010.2.x86_64.rpm
30a9fc8ee330a3d148cf30fa0c068695 2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.x86_64.rpm
9e9b90b86fc365b7714c07d19f6211f1 2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.x86_64.rpm
a3f454c4bc8b9d49fc285a2f258c5641 2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.x86_64.rpm
c27bc4046e4edb82d5ef0afb30b1fb19 2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.x86_64.rpm
be0dbebb632f2e054465cdeda28edbf7 2010.1/x86_64/perl-Cyrus-2.3.15-10.3mdv2010.2.x86_64.rpm
91f58a4c94abbe71004c81d22d1dd954 2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm

Mandriva Linux 2011:
ebe69cb95fb6874413e4fa97648d6cad 2011/i586/cyrus-imapd-2.3.16-7.1-mdv2011.0.i586.rpm
cd7fbd790cb66ecd639bf8b128668cac 2011/i586/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.i586.rpm
eb78400f64696546133b277556047d2b 2011/i586/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.i586.rpm
e88682e14a537ac865af12bb6d804724 2011/i586/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.i586.rpm
e4677ac6a793215bb72ad163dcae1774 2011/i586/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.i586.rpm
8276f4a486bbbadbb5423c26b4adf0d6 2011/i586/perl-Cyrus-2.3.16-7.1-mdv2011.0.i586.rpm
6438fb0d0c9545c3c773598875e6e0f6 2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm

Mandriva Linux 2011/X86_64:
ce0c97c28bc8a6b6f388530d92e5b33e 2011/x86_64/cyrus-imapd-2.3.16-7.1-mdv2011.0.x86_64.rpm
61457b6448ec7faf3943ac4b87bb0482 2011/x86_64/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.x86_64.rpm
e86a7e251cb50d53c86c4ae2b016ecf1 2011/x86_64/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.x86_64.rpm
1a95f9257bb366be1da897af9ed4a495 2011/x86_64/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.x86_64.rpm
2f72036afd5b32e8fcce130340334cd9 2011/x86_64/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.x86_64.rpm
2dddd70d1c8df83d30abea15895a02fa 2011/x86_64/perl-Cyrus-2.3.16-7.1-mdv2011.0.x86_64.rpm
6438fb0d0c9545c3c773598875e6e0f6 2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm

Mandriva Enterprise Server 5:
c7fd893f177ccdb0e1bc965ef2a03dc6 mes5/i586/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
e503472475bc013c4c7cc243bcac541b mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
33fcfe50614189975eb5ee5d3a65f908 mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
100ece0aadd61e09963e6d72ac9b5fb2 mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
032bd3b1c4e554676db6ecbc9063a9c9 mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
9387c22cbe5a1fa40dae1cb9a502b286 mes5/i586/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
57e222015b6d051ab5246d1deed73804 mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
1d809a8f695f1b8fbc407af0dc216ca0 mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
b9bf166cfe741ae746674d05c3d6ad3a mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
3739c923a3b3d0fccc598d468eaa2048 mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
5971440e8872b5a820c2fc6e9c151b06 mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
d0d378499795a0a5aefabf6ea321f064 mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
2dc5d80a0c361b2a9216c5368cf2bed9 mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
57e222015b6d051ab5246d1deed73804 mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOmE+AmqjQ0CJFipgRAiXpAKCCOKU1/pAsFHn6o4QvJ0qiNHUKcACfQ8sa
4njgAqVphfco+jXlw4YnOS0=
=TTn/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2011:027 ] openoffice.org
    ... Multiple directory traversal vulnerabilities allow remote attackers ... OpenOffice.org packages have been updated in order to fix these ... Mandriva Linux 2009.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2011:027 ] openoffice.org
    ... Multiple directory traversal vulnerabilities allow remote attackers ... OpenOffice.org packages have been updated in order to fix these ... Mandriva Linux 2009.0/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2011:031 ] python-django
    ... Multiple vulnerabilities has been found and corrected in python-django: ... and 1.2.x before 1.2.5 might allow remote attackers to inject ... Updated Packages: ... Mandriva Linux 2010.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2011:031 ] python-django
    ... Multiple vulnerabilities has been found and corrected in python-django: ... and 1.2.x before 1.2.5 might allow remote attackers to inject ... Updated Packages: ... Mandriva Linux 2010.0/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2008:101 ] - Updated rdesktop packages fix vulnerabilities
    ... Several vulnerabilities were discovered in rdesktop, ... code with the privileges of the logged-in user. ... The updated packages have been patched to correct these issues. ... Mandriva Linux 2007.1/X86_64: ...
    (Full-Disclosure)