135005 2006-05-31 02:13 0000 mail-mta/courier DoS issue (CVE-2006-2659) 2006-10-15 05:33:07 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.courier-mta.org/beta/patches/verp-fix/ B3 [glsa] jaervosz P2 normal --- 140883 1 jaervosz@gentoo.org security@gentoo.org bugs--gentoo.org@daniel-faber.net chtekk@gentoo.org iggy@gentoo.org jakub@gentoo.org m.semeniuk@10g.pl net-mail@gentoo.org swtaylor@gentoo.org tcort@gentoo.org jaervosz@gentoo.org 2006-05-31 02:13:15 0000 2006-05-23 Mr. Sam <mrsam@courier-mta.com> * courier/libs/comverp.c (verp_encode): Fix bug in encoding of usernames that contain '='. m.semeniuk@10g.pl 2006-06-04 22:13:50 0000 bug 134262 is the same bug. falco@gentoo.org 2006-06-08 05:03:31 0000 This bug sould be merged with bug 134262 and bug 134262 sould be assigned to security team, so that the security process could be completed, including the final GLSA vote. falco@gentoo.org 2006-06-08 05:05:47 0000 it is CVE-2006-2659 jaervosz@gentoo.org 2006-06-08 05:10:22 0000 *** Bug 134262 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2006-06-08 05:12:46 0000 swtaylor please advise and patch as necessary. jaervosz@gentoo.org 2006-06-30 08:55:42 0000 Perhaps someone from net-mail will help on this one? jaervosz@gentoo.org 2006-07-05 23:26:58 0000 Vapier/Solar/Taviso no response from mail to swtayloer, will you try a bump? chtekk@gentoo.org 2006-07-10 17:26:44 0000 mail-mta/courier-0.53.2 is in the tree now, which fixes the security issue and a few other bugs, thanks to Marcin Semeniuk (a user) that provided updated ebuilds in another bug. I want to stress that I only did the version bump for security, I won't maintain mail-mta/courier myself as I don't use it anywhere. Best regards, CHTEKK. jaervosz@gentoo.org 2006-07-11 00:51:42 0000 Thx Luca. Arches please test and mark stable. tsunam@gentoo.org 2006-07-11 21:39:16 0000 forgetting you have courier working locally = doh! x86 done, as it all worked for me in that reguards. I'm going to take a nap now. Z_Z weeve@gentoo.org 2006-07-12 15:39:05 0000 courier dies if "test" is in FEATURES because something it does via make check spits out; Making check in imap make[1]: Entering directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap' make check-am make[2]: Entering directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap' ============================= Do not run make check as root ============================= make[2]: *** [check-am] Error 1 make[2]: Leaving directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap' make[1]: *** [check] Error 2 make[1]: Leaving directory `/var/tmp/portage/courier-0.53.2/work/courier-0.53.2/imap' make: *** [check-recursive] Error 1 !!! ERROR: mail-mta/courier-0.53.2 failed. Call stack: ebuild.sh, line 1539: Called dyn_test ebuild.sh, line 987: Called src_test ebuild.sh, line 618: Called die Will continue testing, but should be disabled. weeve@gentoo.org 2006-07-12 17:15:46 0000 Created an attachment (id=91607) Updated mailer.conf for mailwrapper support At the request of langthang, I re-built courier with FEATURES="userpriv test" and the tests run fine. On another note, the mailer.conf file for USE="mailwrapper" support provided in ${FILESDIR} is broken. The path to sendmail.courier has changed from /usr/sbin to /usr/bin. Attached is an updated version of it with the right pathings. chtekk@gentoo.org 2006-07-14 10:09:06 0000 mailer.conf was updated as per attachment and the ebuild had a src_test added that will only execute the tests if FEATURES="userpriv" is present, else it will warn the user about the need of it to make check. Best regards, CHTEKK. weeve@gentoo.org 2006-07-16 14:06:15 0000 SPARC sexy weeve@gentoo.org 2006-07-16 15:14:31 0000 This time I'll even remove SPARC from the CC! :) Your hourly bug spam brought to you by jforman's goats. jakub@gentoo.org 2006-07-18 02:12:38 0000 Could someone investigate the missing patch that should (?) get applied w/ USE="-fam"? (Bug 140883) AFAICS that patch just never existed. langthang@gentoo.org 2006-07-18 09:15:25 0000 (In reply to comment #16) > Could someone investigate the missing patch that should (?) get applied w/ > USE="-fam"? (Bug 140883) AFAICS that patch just never existed. > it looks like swtaylor bumped courier-0.48.2.20050130.ebuild to fix bug #69630 but forgot to commit fam-disable-check.patch. http://sources.gentoo.org/viewcvs.py/gentoo-x86/mail-mta/courier/courier-0.48.2.20050130.ebuild?hideattic=0&rev=1.3&view=markup one can port that patch from courier-imap but as far as security concern this isn't a regression. BTW, tsunam mark 52.2 x86 instead of 53.2. re-add x86. langthang@gentoo.org 2006-07-18 09:40:44 0000 (In reply to comment #17) > as far as security concern this > isn't a regression. I take it back. The last known stable ebuild doesn't have that fam stuff in there. Guess we have to yank fam related stuff out and do a revision bump later with fam goodness. langthang@gentoo.org 2006-07-18 14:51:03 0000 bug 140883 is fixed. please back to your regular schedule. Sorry for the interruption. tsunam@gentoo.org 2006-07-20 00:02:06 0000 perhaps its the right version this time. dertobi123@gentoo.org 2006-07-22 02:03:37 0000 Already ppc stable. tcort@gentoo.org 2006-07-22 08:40:10 0000 alpha stable. killerfox@gentoo.org 2006-07-29 02:01:38 0000 forgot to remove us. blubb@gentoo.org 2006-07-31 01:33:29 0000 amd64 done, sorry for the delay. jaervosz@gentoo.org 2006-07-31 02:48:06 0000 I tend to vote YES. koon@gentoo.org 2006-07-31 13:43:50 0000 usernames containing '=' ?? Voting no. vorlon@gentoo.org 2006-07-31 14:42:16 0000 recipients with = seem pretty uncommon... nevertheless i tend to vote yes on this one (a really small yes though) frilled@gentoo.org 2006-07-31 22:07:43 0000 I'd say it would depend on whether usernames would have to be *valid*. If NOT, I'd vote YES. But I couldn't find info that anywhere. Can somebody who actually worked on the code tell? jaervosz@gentoo.org 2006-08-01 00:45:22 0000 Mail gateways or mailing list servers usually don't have any chance of validating the username. falco@gentoo.org 2006-08-01 10:32:08 0000 i vote no; username with "=" is rather uncommon, isn't it ? frilled@gentoo.org 2006-08-02 00:07:50 0000 Sune is right IMHO (#29), and I vote "yes", too, because of that. koon@gentoo.org 2006-08-02 06:22:19 0000 Reverting to yes. jaervosz@gentoo.org 2006-08-03 22:05:30 0000 ia64 don't forget to mark stable to benifit from the GLSA. GLSA 200608-06 91607 2006-07-12 17:15 0000 Updated mailer.conf for mailwrapper support mailer.conf text/plain IyBFeGVjdXRlIHRoZSAicmVhbCIgc2VuZG1haWwgcHJvZ3JhbSwgbmFtZWQgL3Vzci9zYmluL3Nl bmRtYWlsCiMKc2VuZG1haWwJL3Vzci9iaW4vc2VuZG1haWwuY291cmllcgpzZW5kLW1haWwJL3Vz ci9iaW4vc2VuZG1haWwuY291cmllcgptYWlscQkJL3Vzci9iaW4vbWFpbHEuY291cmllcgpybWFp bAkJL3Vzci9iaW4vcm1haWwuY291cmllcgo=