Uočen je sigurnosni propust vezan uz cyrus-imapd koji omogućuje "man-in-the-middle" napadačima umetanje naredbi u zaštićene sjednice.
| Paket: | cyrus-imapd 2.3.x |
| Operacijski sustavi: | Mandriva Linux 2009.0, Mandriva Linux 2010.1, Mandriva Linux Corporate 4.0, Mandriva Linux Enterprise Server 5.0 |
| Kritičnost: | 5.1 |
| Problem: | neodgovarajuće rukovanje memorijom, pogreška u programskoj komponenti |
| Iskorištavanje: | udaljeno |
| Posljedica: | pokretanje proizvoljnih naredbi |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-0411, CVE-2011-1926 |
| Izvorni ID preporuke: | MDVSA-2011:100 |
| Izvor: | Mandriva |
| Problem: | |
| Neodgovarajuća STARTTLS implementacija ne ograničava dovoljno kvalitetno pohranu podataka u pričuvnoj memoriji. |
|
| Posljedica: | |
| Uočenu ranjivost MITM napadač može iskoristiti za izvršavanje napada umetanja proizvoljnih naredbi u zaštićenu sjednicu. |
|
| Rješenje: | |
| Svim korisnicima ranjivog paketa preporučuje se primjena uobičajene nadogradnje. |
|
Izvorni tekst preporuke
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:100
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cyrus-imapd
Date : May 24, 2011
Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been identified and fixed in cyrus-imapd:
The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does
not properly restrict I/O buffering, which allows man-in-the-middle
attackers to insert commands into encrypted sessions by sending a
cleartext command that is processed after TLS is in place, related to
a plaintext command injection attack, a similar issue to CVE-2011-0411
(CVE-2011-1926).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1926
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
498d5b68bb40c8f647ee02665beb3646
2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
52718b5cd0166f62fa15bf6f4ec65d56
2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
34e7b7a7cd5f7cad2dc6e068164b0fdc
2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
33e98b4e6bcf6ce9dd16e44b0ca75701
2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
9a3803b65facdf6f35b6d9056ce79a47
2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
37252ed6cfb44699178c1beef4db9e9b
2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
6f396249a59b1f73d015102ce85b70ed
2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
9c80de09df788a63bcaff8dbac7ae51e
2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
83839c1d5e23260b3b9568f67d9263bb
2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
7eba11d541e46f84274455f4e2e73783
2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
6dd7cba369978b229826fbadb52c6281
2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
55d2a884babf37537c0893410be5999e
2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
c517ce121ead39692cbc5d3e6d0bd035
2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
6f396249a59b1f73d015102ce85b70ed
2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm
Mandriva Linux 2010.1:
a1424b6d2116c8d04ddf599d47d0066c
2010.1/i586/cyrus-imapd-2.3.15-10.2mdv2010.2.i586.rpm
979e2a7916c2169592188d798fc9afc3
2010.1/i586/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.i586.rpm
d8220c9ae8b12aba911d1ca3c1d8d9bc
2010.1/i586/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.i586.rpm
da26c65b19ea37a05423367287914a1d
2010.1/i586/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.i586.rpm
bd15ad1797b25046fa1f5fc6223041a3
2010.1/i586/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.i586.rpm
202641315ef7e281b0ac9d49b41dc5b2
2010.1/i586/perl-Cyrus-2.3.15-10.2mdv2010.2.i586.rpm
907ddfe3b1ca22885fd437edc7f38a54
2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
98084c7318761c7e716c9704b41599df
2010.1/x86_64/cyrus-imapd-2.3.15-10.2mdv2010.2.x86_64.rpm
fe1845c0fb1f518b7b4589e59eb522dd
2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.x86_64.rpm
ff61a5b78885d513be547c5d3abe5e5b
2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.x86_64.rpm
8b77e0f150e904d529c9742ee6531619
2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.x86_64.rpm
2c51ef5a91da31245b8b12dcbdd1af84
2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.x86_64.rpm
b26c3480fa743eef4a9241b1be75cf91
2010.1/x86_64/perl-Cyrus-2.3.15-10.2mdv2010.2.x86_64.rpm
907ddfe3b1ca22885fd437edc7f38a54
2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm
Corporate 4.0:
45c23a293396522a89503b10a8f5db1f
corporate/4.0/i586/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
91eb948568050fabe11c6eb55b90a26e
corporate/4.0/i586/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
5a8b99fe60f67a158a1610cfb85fdc79
corporate/4.0/i586/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
87eeee87f8777f16f210c8364f107ba0
corporate/4.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
0b802cff2c75731783dde8bafde043ee
corporate/4.0/i586/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
d27c5d8a57ea4adcf29c252c74a95720
corporate/4.0/i586/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
ade0c37e3e36d2504f9700cd94f2dc74
corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
1f5cae7f38de7492414d31226ba2676e
corporate/4.0/x86_64/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
21189c14023ad6edcf7433a0932caf59
corporate/4.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
c862cf5ed064b9bb28523d87f1077920
corporate/4.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
d501b94549efb93571eef10f352fd795
corporate/4.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
9aa31a3991d96607132fec6250501fa4
corporate/4.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
b29f43dbabf91ad0373da71e5c2def91
corporate/4.0/x86_64/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
ade0c37e3e36d2504f9700cd94f2dc74
corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
44ccd362ff4536d279c6bc766fdde321
mes5/i586/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
dad6eac600091c4da1d8faebfa1e82b8
mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
3fece92c479e94610d82c590530af616
mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
c3d98ddbedac750bf27eec165c5b5902
mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
3275d942a0be02ca5c5810e181dcd518
mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
9b75bc3f9437bd461e8ad8e057be1f39
mes5/i586/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
797d5d4a98b15d89a16b60b13a9782fc
mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
64262442694df3a279c20ff7fbcc2588
mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
f638482001851e8356435b9cdca935d8
mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
f8039806879ebd5dc67b3bf5640b82a5
mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
3f746817849822daf1271b5357d5fe84
mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
ea74bb4cd9bb9734ffd16f30fe77fb0d
mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
1a21b438502b53ce5121608a2e95450e
mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
797d5d4a98b15d89a16b60b13a9782fc
mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN23yjmqjQ0CJFipgRAofTAKCbzecv2sfr6Sed19e3ToSx9i6gtQCgg6/B
10VNAxDouhTji/NBIie0PVc=
=6jGs
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke