Ubuntu
kolab-cyrus-imapd package

bypass access restrictions for some commands

  1. Lucid (10.04)
  2. Bug #880909
Bug #880909 reported by Dave Walker
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cyrus-imapd-2.2 (Ubuntu)
Confirmed
Medium
Unassigned
Hardy
Won't Fix
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Unassigned
Natty
Won't Fix
Medium
Unassigned
Oneiric
Won't Fix
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned
cyrus-imapd-2.4 (Ubuntu)
Confirmed
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
kolab-cyrus-imapd (Ubuntu)
Confirmed
Medium
Unassigned
Hardy
Won't Fix
Medium
Unassigned
Lucid
Won't Fix
Medium
Unassigned
Maverick
Won't Fix
Medium
Unassigned
Natty
Won't Fix
Medium
Unassigned
Oneiric
Won't Fix
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned

Bug Description

the command processing of the NNTP server implementation (nttpd) of
cyrus-imapd is not properly implementing access restrictions for certain
commands and is not checking for a complete, successful authentication.
An attacker can use this flaw to bypass access restrictions for some
commands and, e.g. exploit CVE-2011-3208 without proper authentication.

http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3372

CVE References

Dave Walker (davewalker)
visibility: private → public
Changed in cyrus-imapd-2.2 (Ubuntu Lucid):
status: New → Fix Released
Changed in cyrus-imapd-2.2 (Ubuntu Maverick):
status: New → Fix Released
Changed in cyrus-imapd-2.2 (Ubuntu Hardy):
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Natty):
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Oneiric):
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Precise):
status: New → Confirmed
Changed in cyrus-imapd-2.2 (Ubuntu Hardy):
importance: Undecided → Medium
Changed in cyrus-imapd-2.2 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in cyrus-imapd-2.2 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in cyrus-imapd-2.2 (Ubuntu Natty):
importance: Undecided → Medium
Changed in cyrus-imapd-2.2 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in cyrus-imapd-2.2 (Ubuntu Precise):
importance: Undecided → Medium
Changed in cyrus-imapd-2.4 (Ubuntu Hardy):
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Lucid):
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Maverick):
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Natty):
status: New → Fix Released
Changed in cyrus-imapd-2.4 (Ubuntu Oneiric):
status: New → Confirmed
Changed in cyrus-imapd-2.4 (Ubuntu Precise):
status: New → Confirmed
Dave Walker (davewalker)
Changed in cyrus-imapd-2.4 (Ubuntu Hardy):
status: Fix Released → Invalid
Changed in cyrus-imapd-2.4 (Ubuntu Lucid):
status: Fix Released → Invalid
Changed in cyrus-imapd-2.4 (Ubuntu Maverick):
status: Fix Released → Invalid
Changed in cyrus-imapd-2.4 (Ubuntu Natty):
status: Fix Released → Invalid
Jamie Strandboge (jdstrand)
Changed in kolab-cyrus-imapd (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
Changed in kolab-cyrus-imapd (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Medium
Changed in kolab-cyrus-imapd (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Medium
Changed in kolab-cyrus-imapd (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Changed in kolab-cyrus-imapd (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Changed in kolab-cyrus-imapd (Ubuntu Hardy):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in kolab-cyrus-imapd (Ubuntu Maverick):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in kolab-cyrus-imapd (Ubuntu Natty):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand)
Changed in cyrus-imapd-2.2 (Ubuntu Natty):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in kolab-cyrus-imapd (Ubuntu Hardy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in cyrus-imapd-2.4 (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand)
Changed in cyrus-imapd-2.2 (Ubuntu Hardy):
status: Confirmed → Won't Fix
Changed in kolab-cyrus-imapd (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in cyrus-imapd-2.2 (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in kolab-cyrus-imapd (Ubuntu Lucid):
status: Confirmed → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in cyrus-imapd-2.4 (Ubuntu Precise):
status: Confirmed → Won't Fix
Steve Langasek (vorlon)
Changed in cyrus-imapd-2.2 (Ubuntu Precise):
status: Confirmed → Won't Fix
Changed in kolab-cyrus-imapd (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.