A vulnerability has been reported in Cyrus IMAP Server, which can be exploited by malicious people to manipulate certain data. The vulnerability is caused due to the TLS implementation not properly clearing transport layer buffers when upgrading from plaintext to ciphertext after receiving the "STARTTLS" command. This can be exploited to insert arbitrary plaintext data (e.g. SMTP commands) during the plaintext phase, which will then be executed after upgrading to the TLS ciphertext phase. The vulnerability is reported in versions prior to 2.4.7. Reproducible: Always
Fix and info at $URL.
+*cyrus-imapd-2.4.8 (10 May 2011) + + 10 May 2011; Eray Aslan <eras@gentoo.org> +cyrus-imapd-2.4.8.ebuild: + version bump - bug #350013 +
(In reply to comment #2) > +*cyrus-imapd-2.4.8 (10 May 2011) > + > + 10 May 2011; Eray Aslan <eras@gentoo.org> +cyrus-imapd-2.4.8.ebuild: > + version bump - bug #350013 > + Thank you, Eray. Can we move forward with stabilization? I'm asking because of the version number jump, fwiw.
> Thank you, Eray. Can we move forward with stabilization? I'm asking because of > the version number jump, fwiw. Some more time for testing would have been nice but yes we should. Please stabilize =net-mail/cyrus-imapd-2.4.8 and =net-mail/cyrus-imap-admin-2.4.8
(In reply to comment #4) > > Please stabilize =net-mail/cyrus-imapd-2.4.8 and > =net-mail/cyrus-imap-admin-2.4.8 Great, thanks. Arches, please test and mark stable: =net-mail/cyrus-imapd-2.4.8 Target keywords : "amd64 hppa ppc ppc64 sparc x86" =net-mail/cyrus-imap-admin-2.4.8 Target keywords : "amd64 hppa ppc ppc64 sparc x86"
a depend, net-fs/openafs-kernel fails for me. With stable version it fails on configure phase, with the last fails in src_compile. I'll paste tomorrow a separate bug. Anyone can confirm? what we do?
amd64: have a different outcome here to Agostino's. emerge pulls in dev-perl/Term-ReadLine-Perl-1.03.02 dev-perl/TermReadKey-2.30 net-mail/cyrus-imapd-2.4.8 net-mail/cyrus-imap-admin-2.4.8 No sign of your net-fs/openafs-kernel. All emerged and passed test. All good here.
(In reply to comment #7) > have a different outcome here to Agostino's. > No sign of your net-fs/openafs-kernel. amd64box ago # USE="afs kerberos" emerge -av cyrus-imapd * IMPORTANT: 2 news items need reading for repository 'gentoo'. * Use eselect news to read news items. These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ] net-fs/openafs-kernel-1.4.9 0 kB [ebuild N ] sys-apps/keyutils-1.2-r2 0 kB [ebuild N ] dev-tcltk/expect-5.44.1.15 USE="X threads -debug -doc" 0 kB [ebuild N ] dev-util/dejagnu-1.4.4-r3 USE="-doc" 0 kB [ebuild N ] app-crypt/mit-krb5-1.8.3-r5 USE="test -doc -openldap -xinetd" 0 kB [ebuild N ] virtual/krb5-0 0 kB [ebuild N ] net-fs/openafs-1.4.9 USE="kerberos pam -debug -doc" 0 kB [ebuild N ] net-mail/cyrus-imapd-2.4.8 USE="afs kerberos mysql pam postgres sieve sqlite ssl tcpd zlib -nntp -replication -snmp" 0 kB anyway bug 367341 and bug 367343
(In reply to comment #6) > With stable version it fails on configure phase, with the last fails in > src_compile. net-fs/openafs-1.6.0_pre3 seems to work for me. # eix openafs [I] net-fs/openafs Available versions: 1.4.9 (~)1.4.12.1-r2 (~)1.4.14 (~)1.4.14-r1 {M}(~)1.5.34 {M}(~)1.6.0_pre2 {M}(~)1.6.0_pre3 {debug doc kerberos pam} Installed versions: 1.6.0_pre3(12:25:11 05/15/11)(kerberos pam -doc) Homepage: http://www.openafs.org/ Description: The OpenAFS distributed file system [I] net-fs/openafs-kernel Available versions: 1.4.9 (~)1.4.12.1 (~)1.4.14 {M}(~)1.5.34 {M}(~)1.6.0_pre2 {M}(~)1.6.0_pre3 {kernel_linux} Installed versions: 1.6.0_pre3(12:14:06 05/15/11)(kernel_linux) Homepage: http://www.openafs.org/ Description: The OpenAFS distributed file system kernel module # eix cyrus-imapd [I] net-mail/cyrus-imapd Available versions: 2.3.14-r3 (~)2.3.15 (~)2.3.16 (~)2.4.8 {afs idled kerberos kolab mysql nntp pam postgres replication +sieve snmp sqlite ssl tcpd zlib} Installed versions: 2.4.8(14:25:12 05/15/11)(afs kerberos pam sieve ssl tcpd zlib -mysql -nntp -postgres -replication -snmp -sqlite) Homepage: http://www.cyrusimap.org/ Description: The Cyrus IMAP Server.
ppc/ppc64 stable
(In reply to comment #9) > net-fs/openafs-1.6.0_pre3 seems to work for me. I mean openafs-kernel. So in your paste from eix is installed a masked version, i have opened a new bug and i say does not work for me alla version stable and ~arch in tree
net-mail/cyrus-imapd-2.4.8 fails to build here on x86 with USE="-zlib". Bug 367521
(In reply to comment #12) > net-mail/cyrus-imapd-2.4.8 fails to build here on x86 with USE="-zlib". Bug > 367521 Fixed. Thanks for the bug report.
Stable for HPPA.
amd64 done
x86 stable. Thanks Andreas
sparc stable
Thanks, everyone. GLSA Vote: No.
net-mail/cyrus-imap-admin-2.4.8 still has ~sparc and ~x86
(In reply to comment #19) > net-mail/cyrus-imap-admin-2.4.8 still has ~sparc and ~x86 Thanks, Eray. @x86 and @sparc, please stabilize =net-mail/cyrus-imap-admin-2.4.8 too. Thank you.
(In reply to comment #20) > Thanks, Eray. @x86 and @sparc, please stabilize > =net-mail/cyrus-imap-admin-2.4.8 too. Thank you. x86 stable
21 May 2011; Raúl Porcel <armin76@gentoo.org> cyrus-imapd-2.4.8.ebuild: sparc stable wrt #365909
(In reply to comment #22) > 21 May 2011; Raúl Porcel <armin76@gentoo.org> cyrus-imapd-2.4.8.ebuild: > sparc stable wrt #365909 @sparc, looks like net-mail/cyrus-imap-admin-2.4.8 needs stabilization, not net-mail/cyrus-imapd-2.4.8.
(In reply to comment #23) > (In reply to comment #22) > > 21 May 2011; Raúl Porcel <armin76@gentoo.org> cyrus-imapd-2.4.8.ebuild: > > sparc stable wrt #365909 > > @sparc, looks like net-mail/cyrus-imap-admin-2.4.8 needs stabilization, not > net-mail/cyrus-imapd-2.4.8. Indeed, fixed, thanks
Thanks, everyone. GLSA Vote: no (still ;)
CVE-2011-1926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1926): The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Vote: NO. Closing noglsa.
Actually closing.