From security@linux-mandrake.com Fri Nov 26 23:06:43 2004 From: Mandrake Linux Security Team To: bugtraq@securityfocus.com Date: 25 Nov 2004 22:17:03 -0000 Subject: MDKSA-2004:139 - Updated cyrus-imapd packages fix multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: cyrus-imapd Advisory ID: MDKSA-2004:139 Date: November 25th, 2004 Affected versions: 10.0, 10.1 ______________________________________________________________________ Problem Description: A number of vulnerabilities in the Cyrus-IMAP server were found by Stefan Esser. Due to insufficient checking within the argument parser of the 'partial' and 'fetch' commands, a buffer overflow could be exploited to execute arbitrary attacker-supplied code. Another exploitable buffer overflow could be triggered in situations when memory allocation files. The provided packages have been patched to prevent these problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: d24a96383803817c7bc4873eddd788c5 10.0/RPMS/cyrus-imapd-2.1.16-5.3.100mdk.i586.rpm 4e2abc98c3467167e7d1e80c8673e627 10.0/RPMS/cyrus-imapd-devel-2.1.16-5.3.100mdk.i586.rpm c86e00c698a0c1c6a86b72822822a21d 10.0/RPMS/cyrus-imapd-murder-2.1.16-5.3.100mdk.i586.rpm 7ad76d69b422fe93b819290dbb19d9c3 10.0/RPMS/cyrus-imapd-utils-2.1.16-5.3.100mdk.i586.rpm 96fd3591c761678893f43e86579a126d 10.0/RPMS/perl-Cyrus-2.1.16-5.3.100mdk.i586.rpm 89a64ea4af5fb2b3867e15abe1f38813 10.0/SRPMS/cyrus-imapd-2.1.16-5.3.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 8c0a0ae9b8af0e852ff537790bb78b79 amd64/10.0/RPMS/cyrus-imapd-2.1.16-5.3.100mdk.amd64.rpm 54e359a8a63cf94d35cdda65455d8c2a amd64/10.0/RPMS/cyrus-imapd-devel-2.1.16-5.3.100mdk.amd64.rpm 560d64e9c9db0f0aa7d20223b525a30e amd64/10.0/RPMS/cyrus-imapd-murder-2.1.16-5.3.100mdk.amd64.rpm f283e5fa417f62422cceed597972158f amd64/10.0/RPMS/cyrus-imapd-utils-2.1.16-5.3.100mdk.amd64.rpm 547ae80ca8ef2a37f6afd877bc89b324 amd64/10.0/RPMS/perl-Cyrus-2.1.16-5.3.100mdk.amd64.rpm 89a64ea4af5fb2b3867e15abe1f38813 amd64/10.0/SRPMS/cyrus-imapd-2.1.16-5.3.100mdk.src.rpm Mandrakelinux 10.1: d8789ade849ca9fa4ca29320c538ec7d 10.1/RPMS/cyrus-imapd-2.2.8-4.1.101mdk.i586.rpm 2d10d7a5405712dc6fa60e0c751e6935 10.1/RPMS/cyrus-imapd-devel-2.2.8-4.1.101mdk.i586.rpm a9bb0d482e65acfc4c0b55aa8449e61c 10.1/RPMS/cyrus-imapd-murder-2.2.8-4.1.101mdk.i586.rpm 5bd8c7ea1891db4d8eb9dd691480a0df 10.1/RPMS/cyrus-imapd-nntp-2.2.8-4.1.101mdk.i586.rpm 6a62e104fd24f40b85b673529aa82b38 10.1/RPMS/cyrus-imapd-utils-2.2.8-4.1.101mdk.i586.rpm 865c36af331c9bd111fd20d0d777a674 10.1/RPMS/perl-Cyrus-2.2.8-4.1.101mdk.i586.rpm 031465e275846f22279d4817f3b2a12d 10.1/SRPMS/cyrus-imapd-2.2.8-4.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 14302a4c19f67e797cf02278c2ac42c6 x86_64/10.1/RPMS/cyrus-imapd-2.2.8-4.1.101mdk.x86_64.rpm b4e6c99bfdeac90e16475eec2e651b0e x86_64/10.1/RPMS/cyrus-imapd-devel-2.2.8-4.1.101mdk.x86_64.rpm 38a0a974e95c96787bc857bb358afa84 x86_64/10.1/RPMS/cyrus-imapd-murder-2.2.8-4.1.101mdk.x86_64.rpm bf5d0e23fa0a4ebbd1a46277621a4bb8 x86_64/10.1/RPMS/cyrus-imapd-nntp-2.2.8-4.1.101mdk.x86_64.rpm b9f2f06d42079cb81221688d46c34446 x86_64/10.1/RPMS/cyrus-imapd-utils-2.2.8-4.1.101mdk.x86_64.rpm f71573be7c4c32bf330ea105dff7df8b x86_64/10.1/RPMS/perl-Cyrus-2.2.8-4.1.101mdk.x86_64.rpm 031465e275846f22279d4817f3b2a12d x86_64/10.1/SRPMS/cyrus-imapd-2.2.8-4.1.101mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBplnemqjQ0CJFipgRApbUAJ983C6D2j81TXcJc1N2Kz8Gk4jAPACeNsKQ 6pyLvL8CtlWKztkm1J3yzu4= =N1Yf -----END PGP SIGNATURE-----