Debian
cyrus21-imapd package

Severe security problems (CAN-2004-10 11/12/13)

Bug #10600 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
cyrus21-imapd (Debian)
Fix Released
Unknown
cyrus21-imapd (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #282619 http://bugs.debian.org/282619

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #282619 http://bugs.debian.org/282619

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 23 Nov 2004 13:22:31 +0100 (CET)
From: "Michael Schaefer" <email address hidden>
To: <email address hidden>
Subject: Severe security problems (CAN-2004-10 11/12/13)

Package: cyrus21-imapd
Version: 2.1.16-10
Severity: critical

Stefan Esser found 3 security problems in the Cyrus imap server.

See
http://security.e-matters.de/advisories/152004.html
for details.

Two or more of the problems may also affect 2.1.16 and may allow remote
execution of arbitrary code.

CVE: CAN-2004-1011 CAN-2004-1012 CAN-2004-1013

Revision history for this message
In , Henrique de Moraes Holschuh (hmh) wrote : Bug#282619: fixed in cyrus21-imapd 2.1.16-11
Download full text (4.6 KiB)

Source: cyrus21-imapd
Source-Version: 2.1.16-11

We believe that the bug you reported is fixed in the latest version of
cyrus21-imapd, which is due to be installed in the Debian FTP archive:

cyrus21-admin_2.1.16-11_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-admin_2.1.16-11_all.deb
cyrus21-clients_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-clients_2.1.16-11_i386.deb
cyrus21-common_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-common_2.1.16-11_i386.deb
cyrus21-dev_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-dev_2.1.16-11_i386.deb
cyrus21-doc_2.1.16-11_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-doc_2.1.16-11_all.deb
cyrus21-imapd_2.1.16-11.diff.gz
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.16-11.diff.gz
cyrus21-imapd_2.1.16-11.dsc
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.16-11.dsc
cyrus21-imapd_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.16-11_i386.deb
cyrus21-murder_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-murder_2.1.16-11_i386.deb
cyrus21-pop3d_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-pop3d_2.1.16-11_i386.deb
libcyrus-imap-perl21_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/libcyrus-imap-perl21_2.1.16-11_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <email address hidden> (supplier of updated cyrus21-imapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 Nov 2004 10:43:11 -0200
Source: cyrus21-imapd
Binary: cyrus21-doc cyrus21-admin cyrus21-murder cyrus21-common cyrus21-imapd cyrus21-clients cyrus21-dev cyrus21-pop3d libcyrus-imap-perl21
Architecture: source i386 all
Version: 2.1.16-11
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <email address hidden>
Changed-By: Henrique de Moraes Holschuh <email address hidden>
Description:
 cyrus21-admin - Cyrus mail system (administration tool)
 cyrus21-clients - Cyrus mail system (test clients)
 cyrus21-common - Cyrus mail system (common files)
 cyrus21-dev - Cyrus mail system (developer files)
 cyrus21-doc - Cyrus mail system (documentation files)
 cyrus21-imapd - Cyrus mail system (IMAP support)
 cyrus21-murder - Cyrus mail system (proxies and aggregator)
 cyrus21-pop3d - Cyrus mail system (POP3 support)
 libcyrus-imap-perl21 - Interface to Cyrus imap client imclient library
Closes: 231068 277072 282619
Changes:
 cyrus21-imapd (2.1.16-11) unstable; urgency=high
 .
   * SECURITY FIX: Exploitable remotely. Could cause root compromise.
     CAN-2004-1012, CAN-2004-1013. Backport of upstream 2.2.x fixes to
     2.1.16 by David Carter (closes: #282619)
   * Possible security fix: don't assume long lines have a null in them. from
     Phil...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.9 KiB)

Message-Id: <email address hidden>
Date: Tue, 23 Nov 2004 08:17:05 -0500
From: Henrique de Moraes Holschuh <email address hidden>
To: <email address hidden>
Subject: Bug#282619: fixed in cyrus21-imapd 2.1.16-11

Source: cyrus21-imapd
Source-Version: 2.1.16-11

We believe that the bug you reported is fixed in the latest version of
cyrus21-imapd, which is due to be installed in the Debian FTP archive:

cyrus21-admin_2.1.16-11_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-admin_2.1.16-11_all.deb
cyrus21-clients_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-clients_2.1.16-11_i386.deb
cyrus21-common_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-common_2.1.16-11_i386.deb
cyrus21-dev_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-dev_2.1.16-11_i386.deb
cyrus21-doc_2.1.16-11_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-doc_2.1.16-11_all.deb
cyrus21-imapd_2.1.16-11.diff.gz
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.16-11.diff.gz
cyrus21-imapd_2.1.16-11.dsc
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.16-11.dsc
cyrus21-imapd_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.16-11_i386.deb
cyrus21-murder_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-murder_2.1.16-11_i386.deb
cyrus21-pop3d_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-pop3d_2.1.16-11_i386.deb
libcyrus-imap-perl21_2.1.16-11_i386.deb
  to pool/main/c/cyrus21-imapd/libcyrus-imap-perl21_2.1.16-11_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <email address hidden> (supplier of updated cyrus21-imapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 Nov 2004 10:43:11 -0200
Source: cyrus21-imapd
Binary: cyrus21-doc cyrus21-admin cyrus21-murder cyrus21-common cyrus21-imapd cyrus21-clients cyrus21-dev cyrus21-pop3d libcyrus-imap-perl21
Architecture: source i386 all
Version: 2.1.16-11
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <email address hidden>
Changed-By: Henrique de Moraes Holschuh <email address hidden>
Description:
 cyrus21-admin - Cyrus mail system (administration tool)
 cyrus21-clients - Cyrus mail system (test clients)
 cyrus21-common - Cyrus mail system (common files)
 cyrus21-dev - Cyrus mail system (developer files)
 cyrus21-doc - Cyrus mail system (documentation files)
 cyrus21-imapd - Cyrus mail system (IMAP support)
 cyrus21-murder - Cyrus mail system (proxies and aggregator)
 cyrus21-pop3d - Cyrus mail system (POP3 support)
 libcyrus-imap-perl21 - Interface to Cyrus imap client imclient library
Closes: 231068 277072 282619
Changes:
 cyrus21-imapd (2.1.16-11) unstable; urgency=high
 .
   * SECURITY FIX: Exploitable remotely. Could ...

Read more...

Revision history for this message
Martin Pitt (pitti) wrote :

Was already fixed in -10ubuntu1. Fixed in Debian as well, I asked for syncing.

Revision history for this message
In , Adrian Bunk (bunk) wrote : still present in sarge

reopen 282619
tags 282619 +sarge
thanks

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 6 Dec 2004 02:04:59 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge

reopen 282619
tags 282619 +sarge
thanks

Revision history for this message
In , Steve Langasek (vorlon) wrote :

tags 282619 -sarge
thanks

The version of cyrus21-imapd that fixes this bug will reach testing
tomorrow, therefore I believe this bug can finally be closed now.

Thanks,
--
Steve Langasek
postmodern programmer

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 18:37:14 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Severe security problems (CAN-2004-10 11/12/13)

--ftEhullJWpWg/VHq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 282619 -sarge
thanks

The version of cyrus21-imapd that fixes this bug will reach testing
tomorrow, therefore I believe this bug can finally be closed now.

Thanks,
--=20
Steve Langasek
postmodern programmer

--ftEhullJWpWg/VHq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB21LXKN6ufymYLloRAteGAJ0WNN96qAVX+wCN4PDZ9c1oHphkKwCgi+D6
7mHyO7dl5wTHcwKbWnJz7Jw=
=Zo7I
-----END PGP SIGNATURE-----

--ftEhullJWpWg/VHq--

Bug Watch Updater (bug-watch-updater)
Changed in cyrus21-imapd:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.