The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[CLA-2002:557] Conectiva Linux Security Announcement - cyrus-imapd


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 27 Dec 2002 16:33:01 -0200
From: [email protected]
To: [email protected], [email protected],
Subject: [CLA-2002:557] Conectiva Linux Security Announcement - cyrus-imapd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cyrus-imapd
SUMMARY   : Remote command execution vulnerability
DATE      : 2002-12-27 16:31:00
ID        : CLA-2002:557
RELEVANT
RELEASES  : 8

- -------------------------------------------------------------------------

DESCRIPTION
 The Cyrus IMAP Server is an e-mail application that uses the Internet
 Message Access Protocol (IMAP). It allows an user to perform certain
 mail functions on a remote server rather than on a local computer.
 
 Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
 overflow in cyrus imapd. The problem resides in the way memory is
 managed (an integer overflow can cause less memory than needed to be
 allocated).
 
 This vulnerability[2] may be exploited prior to authentication to the
 IMAP server and could allow a remote attacker to read other users'
 mail and to execute arbitrary code with the privileges of the user
 running the IMAP server (Conectiva Linux has a special unprivileged
 user called 'cyrus' responsible for that).


SOLUTION
 All users of the package Cyrus IMAP Server should upgrade their
 packages imediately.
 
 IMPORTANT: After the upgrade, the cyrus service must be restarted
 manually in order to run the fixed version. This can be accomplished
 by running the following command as root:
 
 # service cyrus restart
 
 
 REFERENCES:
 1.http://online.securityfocus.com/archive/1/301864
 2.http://www.kb.cert.org/vuls/id/740169


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-static-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cyrus-imapd-2.0.17-1U80_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+DJzc42jd0JmAcZARAlXlAJkB/gRvQYt69YCnm029/KdHJ3ZHeACg85F0
1SIIuObOCe7mIX3ZOW4kXAk=
=idCO
-----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру