CVE-2017-14230 (https://nvd.nist.gov/vuln/detail/CVE-2017-14230): In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix calculation for the LIST command caused use of uninitialized memory, which might allow remote attackers to obtain sensitive information or cause a denial of service (daemon crash) via a 'LIST "" "Other Users"' command. References: https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79 https://github.com/cyrusimap/cyrus-imapd/issues/2132 https://lists.andrew.cmu.edu/pipermail/cyrus-announce/2017-September/000145.html https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.4.html
@arches, please test and mark stable as 3.0.4 is already in tree. @kivak, apologies to you sir, I missed the 'before' version part. Thanks for pointing this out!
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): > dependency.bad net-mail/cyrus-imapd/cyrus-imapd-3.0.4.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=dev-libs/xapian-1.4.0'] > dependency.bad net-mail/cyrus-imapd/cyrus-imapd-3.0.4.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=dev-libs/xapian-1.4.0'] > dependency.bad net-mail/cyrus-imapd/cyrus-imapd-3.0.4.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-libs/xapian-1.4.0']
x86 stable
ppc64 stable
ppc stable
amd64 stable
Has bug #604466 been addressed? It makes cyrus-imapd completely unusable in any non-trivial configuration.
hppa stable
@maintainer(s), please clean or mask the vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0394e840f16921bebb2eefbf30acc7073ca348a1 commit 0394e840f16921bebb2eefbf30acc7073ca348a1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2018-01-22 13:49:20 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2018-01-22 13:49:20 +0000 package.mask: mask vulnerable net-mail/cyrus-imapd-2.5 releases Masked versions will be removed in 30 days Bug: https://bugs.gentoo.org/630684 profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)}
(In reply to Gustavo Zacarias from comment #8) > Has bug #604466 been addressed? > It makes cyrus-imapd completely unusable in any non-trivial configuration. It has not, and we have just masked off the last working release. Can we please, please stable 3.0.5 instead?
(In reply to Tony Vroon from comment #12) > It has not, and we have just masked off the last working release. Can we > please, please stable 3.0.5 instead? Submitted: https://bugs.gentoo.org/649996
GLSA Vote: No. Bug will remain open to track cleanup (once maintainer is comfortable dropping it)
tree is clean
