Date: Fri, 27 Dec 2002 16:33:01 -0200
From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net,
Subject: [CLA-2002:557] Conectiva Linux Security Announcement - cyrus-imapd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : cyrus-imapd
SUMMARY : Remote command execution vulnerability
DATE : 2002-12-27 16:31:00
ID : CLA-2002:557
RELEVANT
RELEASES : 8
- -------------------------------------------------------------------------
DESCRIPTION
The Cyrus IMAP Server is an e-mail application that uses the Internet
Message Access Protocol (IMAP). It allows an user to perform certain
mail functions on a remote server rather than on a local computer.
Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
overflow in cyrus imapd. The problem resides in the way memory is
managed (an integer overflow can cause less memory than needed to be
allocated).
This vulnerability[2] may be exploited prior to authentication to the
IMAP server and could allow a remote attacker to read other users'
mail and to execute arbitrary code with the privileges of the user
running the IMAP server (Conectiva Linux has a special unprivileged
user called 'cyrus' responsible for that).
SOLUTION
All users of the package Cyrus IMAP Server should upgrade their
packages imediately.
IMPORTANT: After the upgrade, the cyrus service must be restarted
manually in order to run the fixed version. This can be accomplished
by running the following command as root:
# service cyrus restart
REFERENCES:
1.http://online.securityfocus.com/archive/1/301864
2.http://www.kb.cert.org/vuls/id/740169
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-2.0.17-1U80_1cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-2.0.17-1U80_1cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-static-2.0.17-1U80_1cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/SRPMS/cyrus-imapd-2.0.17-1U80_1cl.src.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+DJzc42jd0JmAcZARAlXlAJkB/gRvQYt69YCnm029/KdHJ3ZHeACg85F0
1SIIuObOCe7mIX3ZOW4kXAk=
=idCO
-----END PGP SIGNATURE-----
