LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Fedora Core 3 Update: cyrus-imapd-2.2.12-1.1.fc3 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Fedora Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-339
2005-04-27
---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : cyrus-imapd
Version     : 2.2.12                      
Release     : 1.1.fc3                  
Summary     : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.

A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in. The mailbox
database is stored in parts of the filesystem that are private to the
Cyrus IMAP server. All user access to mail is through software using
the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for
security.

---------------------------------------------------------------------
Update Information:

Several buffer overflow bugs were found in cyrus-imapd. It is possible that
an authenticated malicious user could cause the imap server to crash.
Additionally, a peer news admin could potentially execute arbitrary code on
the imap server when news is received using the fetchnews command. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0546 to this issue.

In addition this version of the rpm contains a collection of other
fixes since the last FC3 update (see below changelog).

>>>>>>>>>>>> IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<<

This rpm also fixes bug #156121 that incorrectly placed some
executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit
libraries and this caused problems for existing scripts that expected
to find them in a canonical location (/usr/lib/cyrus-imapd) and
violated the multilib packaging guidelines. Only references external to
the cyrus-imapd package are affected by this, the rpm is self
consistent. The most notable example is /usr/lib64/cyrus-impad/deliver
which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged
in preference to deliver). This change only affects x86_64
installations.

---------------------------------------------------------------------
* Mon Apr  4 2005 John Dennis  - 2.2.12-1.1.fc3

- bring up to 2.2.12, fixes security CAN-2005-0546

* Mon Feb 14 2005 Simon Matter 

- updated to 2.2.12
- updated autocreate and autosievefolder patches

* Sat Feb  5 2005 Simon Matter 

- updated autosievefolder patch

* Tue Feb  1 2005 Simon Matter 

- remove special ownership and permissions from deliver
- enable deliver-wrapper per default
- enable OutlookExpress seenstate patch per default

* Wed Jan 19 2005 Simon Matter 

- updated autocreate patch

* Fri Jan 14 2005 Simon Matter 

- spec file cleanup

* Tue Jan 11 2005 Simon Matter 

- updated autocreate patch

* Fri Jan  7 2005 Simon Matter 

- moved contrib dir into doc, made scripts not executable

* Thu Jan  6 2005 Simon Matter 

- added more fixes to the autocreate patch
- don't use /usr/lib for /usr/lib/cyrus-imapd, it's a mess on x86_64
- don't use /usr/lib for symlinks
- remove /usr/lib pachtes
- change pam configs to work on x86_64
- changed default build option for IDLED to on
- changed rpm_set_permissions to honor partitions in /etc/imapd.conf

* Tue Jan  4 2005 Simon Matter 

- updated autocreate patch

* Mon Dec 20 2004 Simon Matter 

- remove idled docs when disabled, fixes RedHat's bug #142345

* Fri Dec 17 2004 Simon Matter 

- removed allnumeric patch, not needed anymore
- made groupcache a compile time option
- rename nntp's pam service, fixes RedHat's bug #142672

* Thu Dec 16 2004 Simon Matter 

- updated groupcache patch
- updated cvt_cyrusdb_all to use runuser instead of su if available
- added upd_groupcache tool

* Wed Dec 15 2004 Simon Matter 

- added groupfile patch to help those using nss_ldap


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

36cea34d82e4e8f127b0acd6aef20522  SRPMS/cyrus-imapd-2.2.12-1.1.fc3.src.rpm
7d86ca50692b8fb8174a9ba77577516b  x86_64/cyrus-imapd-2.2.12-1.1.fc3.x86_64.rpm
3fac6beb580449fa88cf30ebd2cc00b1  x86_64/cyrus-imapd-murder-2.2.12-1.1.fc3.x86_64.rpm
d6ae4bc28394cff12991ef41026560e4  x86_64/cyrus-imapd-nntp-2.2.12-1.1.fc3.x86_64.rpm
52f96c3c5dd2751fa345c98f26ae85ce  x86_64/cyrus-imapd-devel-2.2.12-1.1.fc3.x86_64.rpm
17b55f1ed6883ac2c2e984b68d3110b6  x86_64/perl-Cyrus-2.2.12-1.1.fc3.x86_64.rpm
2ed2914ab0ec3291496374364c84833a  x86_64/cyrus-imapd-utils-2.2.12-1.1.fc3.x86_64.rpm
71c9bd8df0da6beb33c7593285575b34  i386/cyrus-imapd-2.2.12-1.1.fc3.i386.rpm
99c59a28fd8ddf609788df73c67fd331  i386/cyrus-imapd-murder-2.2.12-1.1.fc3.i386.rpm
90bd0b98c63d2c9ec44b3c66933c613a  i386/cyrus-imapd-nntp-2.2.12-1.1.fc3.i386.rpm
5e4a129f7e77f7840ac92d6fe481f18f  i386/cyrus-imapd-devel-2.2.12-1.1.fc3.i386.rpm
5c097ebe78767a241b4617e8e945b95b  i386/perl-Cyrus-2.2.12-1.1.fc3.i386.rpm
8eebd0cb12bf4ab005830782205afc1a  i386/cyrus-imapd-utils-2.2.12-1.1.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------


-- 
John Dennis 

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
State-of-the-art spear phishing and defenses
Linux kernel source code repositories get better security
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.