- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : cyrus-imapd
SUMMARY : Remote command execution vulnerability
DATE : 2002-12-27 16:31:00
ID : CLA-2002:557
RELEVANT
RELEASES : 8
- -------------------------------------------------------------------------
DESCRIPTION
The Cyrus IMAP Server is an e-mail application that uses the Internet
Message Access Protocol (IMAP). It allows an user to perform certain
mail functions on a remote server rather than on a local computer.
Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
overflow in cyrus imapd. The problem resides in the way memory is
managed (an integer overflow can cause less memory than needed to be
allocated).
This vulnerability[2] may be exploited prior to authentication to the
IMAP server and could allow a remote attacker to read other users'
mail and to execute arbitrary code with the privileges of the user
running the IMAP server (Conectiva Linux has a special unprivileged
user called 'cyrus' responsible for that).
SOLUTION
All users of the package Cyrus IMAP Server should upgrade their
packages imediately.
IMPORTANT: After the upgrade, the cyrus service must be restarted
manually in order to run the fixed version. This can be accomplished
by running the following command as root:
# service cyrus restart
REFERENCES:
1.http://online.securityfocus.com/archive/1/301864
2.http://www.kb.cert.org/vuls/id/740169
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-static-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cyrus-imapd-2.0.17-1U80_1cl.src.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.