-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:149 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cyrus-imapd Date : October 14, 2011 Affected: 2009.0, 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in cyrus-imapd: Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command (CVE-2011-3208). Secunia Research has discovered a vulnerability in Cyrus IMAPd, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the authentication mechanism of the NNTP server, which can be exploited to bypass the authentication process and execute commands intended for authenticated users by sending an AUTHINFO USER command without a following AUTHINFO PASS command (CVE-2011-3372). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 54e4d920a1dc6961449fe92a21d70aea 2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.i586.rpm b027ab6d3826bb90f3efeeaf9f0cfd38 2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.i586.rpm e12bf8783bfdabd829527b7a9a98ab91 2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.i586.rpm 83a6a642fbeedc4d5f0adc5719a0080c 2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.i586.rpm 2f893ebd6b25ed7f91af9d139e3cdf67 2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.i586.rpm aa73b1fc08697d507a1b498dac9fc9d3 2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.i586.rpm a41a72745a688b0949ae18f726a4a899 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ddd19215cbb8d0f739ab3eac2ed9195b 2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm 835254b0b18a7a31deabf3dafb25c505 2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm a4140740defa18ad54124b59ac5ced08 2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm f175718d4f8c935eaea646aacfb87fd2 2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm 8abf84c4ae32460ce1b9fa540c0e8e1f 2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm d42f6a2dda95ff5f7e78a7d2ddc63634 2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm a41a72745a688b0949ae18f726a4a899 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm Mandriva Linux 2010.1: b2510223c771d01a0a43c07f42cb0be6 2010.1/i586/cyrus-imapd-2.3.15-10.3mdv2010.2.i586.rpm ff5eaf5369620b878391c031833e869a 2010.1/i586/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.i586.rpm b9beb4b0160a2eda64fafb1bd2cd5dcb 2010.1/i586/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.i586.rpm 646c64b84804113026d7fbee610623de 2010.1/i586/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.i586.rpm 7e0d6868b3383fd9982e93c8f5daf34d 2010.1/i586/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.i586.rpm b0d952ba0fa0bd49a3f7d66dfd0d20ab 2010.1/i586/perl-Cyrus-2.3.15-10.3mdv2010.2.i586.rpm 91f58a4c94abbe71004c81d22d1dd954 2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: d0c07cb3c99c41c97e185074b3e5f68b 2010.1/x86_64/cyrus-imapd-2.3.15-10.3mdv2010.2.x86_64.rpm 30a9fc8ee330a3d148cf30fa0c068695 2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.x86_64.rpm 9e9b90b86fc365b7714c07d19f6211f1 2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.x86_64.rpm a3f454c4bc8b9d49fc285a2f258c5641 2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.x86_64.rpm c27bc4046e4edb82d5ef0afb30b1fb19 2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.x86_64.rpm be0dbebb632f2e054465cdeda28edbf7 2010.1/x86_64/perl-Cyrus-2.3.15-10.3mdv2010.2.x86_64.rpm 91f58a4c94abbe71004c81d22d1dd954 2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm Mandriva Linux 2011: ebe69cb95fb6874413e4fa97648d6cad 2011/i586/cyrus-imapd-2.3.16-7.1-mdv2011.0.i586.rpm cd7fbd790cb66ecd639bf8b128668cac 2011/i586/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.i586.rpm eb78400f64696546133b277556047d2b 2011/i586/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.i586.rpm e88682e14a537ac865af12bb6d804724 2011/i586/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.i586.rpm e4677ac6a793215bb72ad163dcae1774 2011/i586/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.i586.rpm 8276f4a486bbbadbb5423c26b4adf0d6 2011/i586/perl-Cyrus-2.3.16-7.1-mdv2011.0.i586.rpm 6438fb0d0c9545c3c773598875e6e0f6 2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm Mandriva Linux 2011/X86_64: ce0c97c28bc8a6b6f388530d92e5b33e 2011/x86_64/cyrus-imapd-2.3.16-7.1-mdv2011.0.x86_64.rpm 61457b6448ec7faf3943ac4b87bb0482 2011/x86_64/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.x86_64.rpm e86a7e251cb50d53c86c4ae2b016ecf1 2011/x86_64/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.x86_64.rpm 1a95f9257bb366be1da897af9ed4a495 2011/x86_64/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.x86_64.rpm 2f72036afd5b32e8fcce130340334cd9 2011/x86_64/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.x86_64.rpm 2dddd70d1c8df83d30abea15895a02fa 2011/x86_64/perl-Cyrus-2.3.16-7.1-mdv2011.0.x86_64.rpm 6438fb0d0c9545c3c773598875e6e0f6 2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm Mandriva Enterprise Server 5: c7fd893f177ccdb0e1bc965ef2a03dc6 mes5/i586/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm e503472475bc013c4c7cc243bcac541b mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 33fcfe50614189975eb5ee5d3a65f908 mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 100ece0aadd61e09963e6d72ac9b5fb2 mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 032bd3b1c4e554676db6ecbc9063a9c9 mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 9387c22cbe5a1fa40dae1cb9a502b286 mes5/i586/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 57e222015b6d051ab5246d1deed73804 mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1d809a8f695f1b8fbc407af0dc216ca0 mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm b9bf166cfe741ae746674d05c3d6ad3a mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm 3739c923a3b3d0fccc598d468eaa2048 mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm 5971440e8872b5a820c2fc6e9c151b06 mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm d0d378499795a0a5aefabf6ea321f064 mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm 2dc5d80a0c361b2a9216c5368cf2bed9 mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm 57e222015b6d051ab5246d1deed73804 mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOmE+AmqjQ0CJFipgRAiXpAKCCOKU1/pAsFHn6o4QvJ0qiNHUKcACfQ8sa 4njgAqVphfco+jXlw4YnOS0= =TTn/ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/