Product : Fedora Core 3
Name : cyrus-imapd
Version : 2.2.10
Release : 1.fc3
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in. The mailbox
database is stored in parts of the filesystem that are private to the
Cyrus IMAP server. All user access to mail is through software using
the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for
security.
Update Information:
Fix several buffer overflow problems that could be used as an exploit.
Fixes the following security advisories:
CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 CAN-2004-1015
Tue Nov 30 2004 John Dennis <jdennis@redhat.com> 2.2.10-1.fc3
update to Simon Matter's 2.2.10 RPM,
fixes bug #139382,
security advisories: CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 CAN-2004-1015
Wed Nov 24 2004 Simon Matter <simon.matter@invoca.ch>
updated to 2.2.10
Tue Nov 23 2004 Simon Matter <simon.matter@invoca.ch>
updated to 2.2.9
Fri Nov 19 2004 Simon Matter <simon.matter@invoca.ch>
changed scripts to use runuser instead of su if available
Thu Nov 18 2004 Simon Matter <simon.matter@invoca.ch>
changed requirement for file >= 3.35-1 from BuildPrereq to
Requires, fixes RedHat's bug #124991
added acceptinvalidfrom patch to fix RedHat's bug #137705
Product : Fedora Core 2
Name : cyrus-imapd
Version : 2.2.10
Release : 1.fc2
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in. The mailbox
database is stored in parts of the filesystem that are private to the
Cyrus IMAP server. All user access to mail is through software using
the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for
security.
Update Information:
Fix several buffer overflow problems that could be used as an exploit.
Fixes the following security advisories:
CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 CAN-2004-1015
Tue Nov 30 2004 John Dennis <jdennis@redhat.com> 2.2.10-1.fc2
update to Simon Matter's 2.2.10 RPM,
fixes bug #139382,
security advisories: CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 CAN-2004-1015
Wed Nov 24 2004 Simon Matter <simon.matter@invoca.ch>
updated to 2.2.10
Tue Nov 23 2004 Simon Matter <simon.matter@invoca.ch>
updated to 2.2.9
Fri Nov 19 2004 Simon Matter <simon.matter@invoca.ch>
changed scripts to use runuser instead of su if available
Thu Nov 18 2004 Simon Matter <simon.matter@invoca.ch>
changed requirement for file >= 3.35-1 from BuildPrereq to
Requires, fixes RedHat's bug #124991
added acceptinvalidfrom patch to fix RedHat's bug #137705
Mon Oct 04 2004 Dan Walsh <dwalsh@redhat.com> 2.2.6-2.FC3.6
Change cyrus init scripts and cron job to use runuser instead of su
Fri Aug 06 2004 John Dennis <jdennis@redhat.com> 2.2.6-2.FC3.5
remove obsoletes tag, fixes bugs #127448, #129274
Wed Aug 04 2004 John Dennis <jdennis@redhat.com>
replace commas in release field with dots, bump build number
Tue Aug 03 2004 Simon Matter <simon.matter@invoca.ch>
fixed symlinks for x86_64, now uses the _libdir macro
reported by John Dennis, fixes RedHat's bug #128964
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Conectiva Linux
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : cyrus-imapd
SUMMARY : Multiple vulnerabilities in cyrus-imapd
DATE : 2004-12-01 18:21:00
ID : CLA-2004:904
RELEVANT RELEASES : 9, 10
DESCRIPTION
cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced
features such as SASL authentication, server-side mail filtering,
mailbox ACLs and others.
Stefan Esser from e-matters security recently published[2] several
vulnerabilities in cyrus-imapd:
(if not mentioned otherwise, all vulnerabilities affect both
Conectiva Linux 9 and 10)
1. "imapmagicplus" buffer overflow (CAN-2004-1011)[3]
If the "imapmagicplus" option is enabled in the server's
configuration file, then the LOGIN and PROXY commands can be abused
to cause a buffer overflow, allowing remote unauthenticated attackers
to execute arbitrary code as the "cyrus" user.
Later on it has been found that the proxyd service also suffered[6]
(CAN-2004-1015) from the same problem.
Conectiva Linux 9 is not affected by these vulnerabilities.
2. PARTIAL command vulnerability (CAN-2004-1012)[4]
The PARTIAL command parser has a vulnerability which would allow
authenticated users to cause a memory corruption and possibly execute
arbitrary code as the "cyrus" user.
3. FETCH command vulnerability (CAN-2004-1013)[5]
The FETCH command parser has a vulnerability which would allow
authenticated users to cause a memory corruption and possibly execute
arbitrary code as the "cyrus" user.
All these vulnerabilities have been fixed upstream with new versions
of cyrus-imapd: 2.2.10 for the 2.2.x branch and 2.1.17 for the 2.1.x
branch.
Below are additional changes in our RPM packages:
for CL10: SNMP support has been removed. It needs a newer net-snmp
library than the one that is currently being shipped;
for CL10: the script which attempts to convert the imapd.conf
configuration file from 2.1.x to the 2.2.x format has been fixed.
Previously it would mangle TLS directives;
for CL9: the init script has been fixed to allow GSSAPI
authentication and also to restart the server if it was already
running;
for CL9: the cyrus-imapd package now explicitly conflicts with
uw-imap-server and uw-pop-server.
SOLUTION
It is recommended that all cyrus-imapd users upgrade their packages.
The service will be automatically restarted after the upgrade if
needed.
PACKAGE : abiword
SUMMARY : Fix for buffer overflow vulnerability
DATE : 2004-12-01 13:28:00
ID : CLA-2004:902
RELEVANT RELEASES : 9, 10
DESCRIPTION
AbiWord[1] is a free word processing program similar to Microsoft(R)
Word.
Wv[2] is a library which allows access to Microsoft Word files.
iDefense[3] discovered[4] a buffer overflow vulnerability[5] in the
wv library which could allow an attacker to execute arbitrary code
with the privileges of the user running the vulnerable application.
This announcement fixes the wv library which is included in AbiWord
packages.
SOLUTION
It is recommended that all AbiWord users in Conectiva Linux upgrade
their
packages.
