Nove ranjivosti paketa cyrus-imapd

U radu programskog paketa cyrus-imapd uočeni su novi sigurnosni propusti. Udaljeni ih napadač može iskoristiti za zaobilaženje ograničenja te proizvoljno pokretanje programskog koda.

Paket:	cyrus-imapd 2.x
Operacijski sustavi:	Mandriva Linux 2009.0, Mandriva Linux 2010.1, Mandriva Linux 2011, Mandriva Linux Enterprise Server 5.0
Kritičnost:	6.5
Problem:	nepravilno rukovanje ovlastima, preljev međuspremnika
Iskorištavanje:	udaljeno
Posljedica:	pokretanje proizvoljnih naredbi, proizvoljno izvršavanje programskog koda, zaobilaženje postavljenih ograničenja
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-3208, CVE-2011-3372
Izvorni ID preporuke:	MDVSA-2011:149
Izvor:	Mandriva

Problem:
Sigurnosni propusti se javljaju zbog preljeva međuspremnika u programskoj funkciji "split_wildmats" te pogrešaka autentikacijskog mehanizma u NNTP poslužitelju.
Posljedica:
Udaljeni napadač navedene ranjivosti može iskoristiti za proizvoljno pokretanje programskog koda te zaobilaženje postupka autentikacije što mu nadalje omogućuje pokretanje proizvoljnih naredbi.
Rješenje:
Svim korisnicima savjetuje se čitanje izvorne preporuke i nadogradnja programskog paketa.

Izvorni tekst preporuke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:149
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : cyrus-imapd
 Date    : October 14, 2011
 Affected: 2009.0, 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 cyrus-imapd:
 
 Stack-based buffer overflow in the split_wildmats function in nntpd.c
 in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11
 allows remote attackers to execute arbitrary code via a crafted NNTP
 command (CVE-2011-3208).
 
 Secunia Research has discovered a vulnerability in Cyrus IMAPd,
 which can be exploited by malicious people to bypass certain security
 restrictions. The vulnerability is caused due to an error within the
 authentication mechanism of the NNTP server, which can be exploited
 to bypass the authentication process and execute commands intended
 for authenticated users by sending an AUTHINFO USER command without
 a following AUTHINFO PASS command (CVE-2011-3372).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 54e4d920a1dc6961449fe92a21d70aea 
2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 b027ab6d3826bb90f3efeeaf9f0cfd38 
2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 e12bf8783bfdabd829527b7a9a98ab91 
2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 83a6a642fbeedc4d5f0adc5719a0080c 
2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 2f893ebd6b25ed7f91af9d139e3cdf67 
2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.i586.rpm
 aa73b1fc08697d507a1b498dac9fc9d3 
2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.i586.rpm 
 a41a72745a688b0949ae18f726a4a899 
2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ddd19215cbb8d0f739ab3eac2ed9195b 
2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 835254b0b18a7a31deabf3dafb25c505 
2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 a4140740defa18ad54124b59ac5ced08 
2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 f175718d4f8c935eaea646aacfb87fd2 
2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 8abf84c4ae32460ce1b9fa540c0e8e1f 
2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm
 d42f6a2dda95ff5f7e78a7d2ddc63634 
2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdv2009.0.x86_64.rpm 
 a41a72745a688b0949ae18f726a4a899 
2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 b2510223c771d01a0a43c07f42cb0be6 
2010.1/i586/cyrus-imapd-2.3.15-10.3mdv2010.2.i586.rpm
 ff5eaf5369620b878391c031833e869a 
2010.1/i586/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.i586.rpm
 b9beb4b0160a2eda64fafb1bd2cd5dcb 
2010.1/i586/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.i586.rpm
 646c64b84804113026d7fbee610623de 
2010.1/i586/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.i586.rpm
 7e0d6868b3383fd9982e93c8f5daf34d 
2010.1/i586/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.i586.rpm
 b0d952ba0fa0bd49a3f7d66dfd0d20ab 
2010.1/i586/perl-Cyrus-2.3.15-10.3mdv2010.2.i586.rpm 
 91f58a4c94abbe71004c81d22d1dd954 
2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 d0c07cb3c99c41c97e185074b3e5f68b 
2010.1/x86_64/cyrus-imapd-2.3.15-10.3mdv2010.2.x86_64.rpm
 30a9fc8ee330a3d148cf30fa0c068695 
2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.3mdv2010.2.x86_64.rpm
 9e9b90b86fc365b7714c07d19f6211f1 
2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.3mdv2010.2.x86_64.rpm
 a3f454c4bc8b9d49fc285a2f258c5641 
2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.3mdv2010.2.x86_64.rpm
 c27bc4046e4edb82d5ef0afb30b1fb19 
2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.3mdv2010.2.x86_64.rpm
 be0dbebb632f2e054465cdeda28edbf7 
2010.1/x86_64/perl-Cyrus-2.3.15-10.3mdv2010.2.x86_64.rpm 
 91f58a4c94abbe71004c81d22d1dd954 
2010.1/SRPMS/cyrus-imapd-2.3.15-10.3mdv2010.2.src.rpm

 Mandriva Linux 2011:
 ebe69cb95fb6874413e4fa97648d6cad 
2011/i586/cyrus-imapd-2.3.16-7.1-mdv2011.0.i586.rpm
 cd7fbd790cb66ecd639bf8b128668cac 
2011/i586/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.i586.rpm
 eb78400f64696546133b277556047d2b 
2011/i586/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.i586.rpm
 e88682e14a537ac865af12bb6d804724 
2011/i586/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.i586.rpm
 e4677ac6a793215bb72ad163dcae1774 
2011/i586/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.i586.rpm
 8276f4a486bbbadbb5423c26b4adf0d6 
2011/i586/perl-Cyrus-2.3.16-7.1-mdv2011.0.i586.rpm 
 6438fb0d0c9545c3c773598875e6e0f6  2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm

 Mandriva Linux 2011/X86_64:
 ce0c97c28bc8a6b6f388530d92e5b33e 
2011/x86_64/cyrus-imapd-2.3.16-7.1-mdv2011.0.x86_64.rpm
 61457b6448ec7faf3943ac4b87bb0482 
2011/x86_64/cyrus-imapd-devel-2.3.16-7.1-mdv2011.0.x86_64.rpm
 e86a7e251cb50d53c86c4ae2b016ecf1 
2011/x86_64/cyrus-imapd-murder-2.3.16-7.1-mdv2011.0.x86_64.rpm
 1a95f9257bb366be1da897af9ed4a495 
2011/x86_64/cyrus-imapd-nntp-2.3.16-7.1-mdv2011.0.x86_64.rpm
 2f72036afd5b32e8fcce130340334cd9 
2011/x86_64/cyrus-imapd-utils-2.3.16-7.1-mdv2011.0.x86_64.rpm
 2dddd70d1c8df83d30abea15895a02fa 
2011/x86_64/perl-Cyrus-2.3.16-7.1-mdv2011.0.x86_64.rpm 
 6438fb0d0c9545c3c773598875e6e0f6  2011/SRPMS/cyrus-imapd-2.3.16-7.1.src.rpm

 Mandriva Enterprise Server 5:
 c7fd893f177ccdb0e1bc965ef2a03dc6 
mes5/i586/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 e503472475bc013c4c7cc243bcac541b 
mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 33fcfe50614189975eb5ee5d3a65f908 
mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 100ece0aadd61e09963e6d72ac9b5fb2 
mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 032bd3b1c4e554676db6ecbc9063a9c9 
mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm
 9387c22cbe5a1fa40dae1cb9a502b286 
mes5/i586/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.i586.rpm 
 57e222015b6d051ab5246d1deed73804 
mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 1d809a8f695f1b8fbc407af0dc216ca0 
mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 b9bf166cfe741ae746674d05c3d6ad3a 
mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 3739c923a3b3d0fccc598d468eaa2048 
mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 5971440e8872b5a820c2fc6e9c151b06 
mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 d0d378499795a0a5aefabf6ea321f064 
mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm
 2dc5d80a0c361b2a9216c5368cf2bed9 
mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.3mdvmes5.2.x86_64.rpm 
 57e222015b6d051ab5246d1deed73804 
mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOmE+AmqjQ0CJFipgRAiXpAKCCOKU1/pAsFHn6o4QvJ0qiNHUKcACfQ8sa
4njgAqVphfco+jXlw4YnOS0=
=TTn/
-----END PGP SIGNATURE-----

Nove ranjivosti paketa cyrus-imapd

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Nove ranjivosti paketa cyrus-imapd

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti