Ubuntu
cyrus-imapd-2.2 package

STARTTLS implementation allows MITM

Bug #880924 reported by Dave Walker
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cyrus-imapd-2.2 (Ubuntu)
Fix Released
High
Unassigned
Hardy
Won't Fix
High
Unassigned
Lucid
Fix Released
High
Unassigned
Maverick
Fix Released
High
Unassigned
Natty
Invalid
High
Unassigned
Oneiric
Invalid
High
Unassigned
Precise
Fix Released
High
Unassigned
cyrus-imapd-2.4 (Ubuntu)
Invalid
High
Unassigned
Hardy
Fix Released
High
Unassigned
Lucid
Fix Released
High
Unassigned
Maverick
Fix Released
High
Unassigned
Natty
Fix Released
High
Unassigned
Oneiric
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned

Bug Description

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not
properly restrict I/O buffering, which allows man-in-the-middle attackers
to insert commands into encrypted sessions by sending a cleartext command
that is processed after TLS is in place, related to a "plaintext command
injection" attack, a similar issue to CVE-2011-0411.

http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1926

CVE References

Dave Walker (davewalker)
visibility: private → public
Changed in cyrus-imapd-2.2 (Ubuntu Lucid):
importance: Undecided → High
status: New → Fix Released
Changed in cyrus-imapd-2.2 (Ubuntu Maverick):
importance: Undecided → High
status: New → Fix Released
Changed in cyrus-imapd-2.2 (Ubuntu Hardy):
importance: Undecided → High
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Natty):
importance: Undecided → High
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Oneiric):
importance: Undecided → High
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Precise):
importance: Undecided → High
status: New → Confirmed
Dave Walker (davewalker)
Changed in cyrus-imapd-2.4 (Ubuntu Oneiric):
status: New → Invalid
importance: Undecided → High
Changed in cyrus-imapd-2.4 (Ubuntu Precise):
importance: Undecided → High
status: New → Invalid
Changed in cyrus-imapd-2.4 (Ubuntu Natty):
importance: Undecided → High
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Maverick):
importance: Undecided → High
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Lucid):
importance: Undecided → High
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Hardy):
importance: Undecided → High
status: New → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

cyrus-imapd-2.2 (2.2.13p1-11) unstable; urgency=low

  * Fix CVE-2011-1926: STARTTLS plaintext command injection
    vulnerability (VU#555316)
  * Fix infinite loop in case of corrupted index files (Closes: #627078)

 -- Ondřej Surý <email address hidden> Wed, 18 May 2011 10:43:58 +0200

... synced into precise with 2.2.13p1-15; although I might shortly remove this in favour of cyrus-imapd-2.4.

Changed in cyrus-imapd-2.2 (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in cyrus-imapd-2.2 (Ubuntu Hardy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in cyrus-imapd-2.2 (Ubuntu Natty):
status: Confirmed → Incomplete
Changed in cyrus-imapd-2.2 (Ubuntu Oneiric):
status: Confirmed → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Revision history for this message
dino99 (9d9) wrote :

eol reached https://wiki.ubuntu.com/Releases

Changed in cyrus-imapd-2.2 (Ubuntu Oneiric):
status: Incomplete → Invalid
Changed in cyrus-imapd-2.2 (Ubuntu Natty):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.