U radu programskog paketa cyrus-imapd uočen je sigurnosni nedostatak koji napadaču omogućuje umetanje naredbi u kriptirane sjednice.
| Paket: | cyrus-imapd 2.x |
| Operacijski sustavi: | Fedora 13, Fedora 14 |
| Kritičnost: | 3.8 |
| Problem: | pogreška u programskoj komponenti |
| Iskorištavanje: | lokalno/udaljeno |
| Posljedica: | umetanje proizvoljnih podataka u zaštićenu sjednicu |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-1926 |
| Izvorni ID preporuke: | FEDORA-2011-7193 |
| Izvor: | Fedora |
| Problem: | |
| Nedostatak je posljedica nepravilnosti u STARTTLS implementaciji. |
|
| Posljedica: | |
| Napadač može iskoristiti problem za umetanje proizvoljnih naredbi. |
|
| Rješenje: | |
| Korisnicima se savjetuje prelazak na ispravljene inačice. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7193
2011-05-19 01:36:21
--------------------------------------------------------------------------------
Name : cyrus-imapd
Product : Fedora 13
Version : 2.3.16
Release : 5.fc13
URL : http://www.cyrusimap.org/
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE
support
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in and have no
system account on the server. The mailbox database is stored in parts
of the filesystem that are private to the Cyrus IMAP server. All user
access to mail is through software using the IMAP, POP3 or KPOP
protocols. It also includes support for virtual domains, NNTP,
mailbox annotations, and much more. The private mailbox database design
gives the server large advantages in efficiency, scalability and
administratability. Multiple concurrent read/write connections to the
same mailbox are permitted. The server supports access control lists on
mailboxes and storage quotas on mailbox hierarchies.
The Cyrus IMAP server supports the IMAP4rev1 protocol described
in RFC 3501. IMAP4rev1 has been approved as a proposed standard.
It supports any authentication mechanism available from the SASL
library, imaps/pop3s/nntps (IMAP/POP3/NNTP encrypted using SSL and
TLSv1) can be used for security. The server supports single instance
store where possible when an email message is addressed to multiple
recipients, SIEVE provides server side email filtering.
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 18 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.3.16-5
- fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability
* Fri Jan 21 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.3.16-4
- don't force sync io for all filesystems
* Tue Apr 20 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.3.16-3
- add support for QoS marked traffic (#576652)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #705288 - CVE-2011-1926 cyrus-imapd: STARTTLS plaintext command
injection
https://bugzilla.redhat.com/show_bug.cgi?id=705288
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update cyrus-imapd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7217
2011-05-19 01:37:11
--------------------------------------------------------------------------------
Name : cyrus-imapd
Product : Fedora 14
Version : 2.3.16
Release : 8.fc14
URL : http://www.cyrusimap.org/
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE
support
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in and have no
system account on the server. The mailbox database is stored in parts
of the file system that are private to the Cyrus IMAP server. All user
access to mail is through software using the IMAP, POP3 or KPOP
protocols. It also includes support for virtual domains, NNTP,
mailbox annotations, and much more. The private mailbox database design
gives the server large advantages in efficiency, scalability and
administratability. Multiple concurrent read/write connections to the
same mailbox are permitted. The server supports access control lists on
mailboxes and storage quotas on mailbox hierarchies.
The Cyrus IMAP server supports the IMAP4rev1 protocol described
in RFC 3501. IMAP4rev1 has been approved as a proposed standard.
It supports any authentication mechanism available from the SASL
library, imaps/pop3s/nntps (IMAP/POP3/NNTP encrypted using SSL and
TLSv1) can be used for security. The server supports single instance
store where possible when an email message is addressed to multiple
recipients, SIEVE provides server side email filtering.
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 17 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.3.16-8
- fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability
* Fri Jan 21 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.3.16-7
- don't force sync io for all filesystems
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #705288 - CVE-2011-1926 cyrus-imapd: STARTTLS plaintext command
injection
https://bugzilla.redhat.com/show_bug.cgi?id=705288
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update cyrus-imapd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke