PDA

Bekijk Volledige Versie : [CLA-2002:557] Conectiva Linux Security Announcement - cyrus-imapd



secure@conectiva.com.br
27/12/02, 20:45
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : cyrus-imapd
SUMMARY : Remote command execution vulnerability
DATE : 2002-12-27 16:31:00
ID : CLA-2002:557
RELEVANT
RELEASES : 8

- -------------------------------------------------------------------------

DESCRIPTION
The Cyrus IMAP Server is an e-mail application that uses the Internet
Message Access Protocol (IMAP). It allows an user to perform certain
mail functions on a remote server rather than on a local computer.

Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
overflow in cyrus imapd. The problem resides in the way memory is
managed (an integer overflow can cause less memory than needed to be
allocated).

This vulnerability[2] may be exploited prior to authentication to the
IMAP server and could allow a remote attacker to read other users'
mail and to execute arbitrary code with the privileges of the user
running the IMAP server (Conectiva Linux has a special unprivileged
user called 'cyrus' responsible for that).


SOLUTION
All users of the package Cyrus IMAP Server should upgrade their
packages imediately.

IMPORTANT: After the upgrade, the cyrus service must be restarted
manually in order to run the fixed version. This can be accomplished
by running the following command as root:

# service cyrus restart


REFERENCES:
1.http://online.securityfocus.com/archive/1/301864
2.http://www.kb.cert.org/vuls/id/740169


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-static-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cyrus-imapd-2.0.17-1U80_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+DJzc42jd0JmAcZARAlXlAJkB/gRvQYt69YCnm029/KdHJ3ZHeACg85F0
1SIIuObOCe7mIX3ZOW4kXAk=
=idCO
-----END PGP SIGNATURE-----