Conectiva Linux Advisory: cyrus-imapd

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cyrus-imapd
SUMMARY   : Remote command execution vulnerability
DATE      : 2002-12-27 16:31:00
ID        : CLA-2002:557
RELEVANT
RELEASES  : 8

- -------------------------------------------------------------------------

DESCRIPTION
 The Cyrus IMAP Server is an e-mail application that uses the Internet
 Message Access Protocol (IMAP). It allows an user to perform certain
 mail functions on a remote server rather than on a local computer.
 
 Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
 overflow in cyrus imapd. The problem resides in the way memory is
 managed (an integer overflow can cause less memory than needed to be
 allocated).
 
 This vulnerability[2] may be exploited prior to authentication to the
 IMAP server and could allow a remote attacker to read other users'
 mail and to execute arbitrary code with the privileges of the user
 running the IMAP server (Conectiva Linux has a special unprivileged
 user called 'cyrus' responsible for that).


SOLUTION
 All users of the package Cyrus IMAP Server should upgrade their
 packages imediately.
 
 IMPORTANT: After the upgrade, the cyrus service must be restarted
 manually in order to run the fixed version. This can be accomplished
 by running the following command as root:
 
 # service cyrus restart
 
 
 REFERENCES:
 1.http://online.securityfocus.com/archive/1/301864
 2.http://www.kb.cert.org/vuls/id/740169


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cyrus-imapd-devel-static-2.0.17-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cyrus-imapd-2.0.17-1U80_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br