Summary: | <net-mail/cyrus-imapd-2.4.8: STARTTLS plaintext command injection vulnerability (CVE-2011-1926) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | montjoie <corentin.labbe> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexanderyt, dertobi123, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 367521 | ||
Bug Blocks: |
Description
montjoie
2011-05-04 07:54:31 UTC
Fix and info at $URL. +*cyrus-imapd-2.4.8 (10 May 2011) + + 10 May 2011; Eray Aslan <eras@gentoo.org> +cyrus-imapd-2.4.8.ebuild: + version bump - bug #350013 + (In reply to comment #2) > +*cyrus-imapd-2.4.8 (10 May 2011) > + > + 10 May 2011; Eray Aslan <eras@gentoo.org> +cyrus-imapd-2.4.8.ebuild: > + version bump - bug #350013 > + Thank you, Eray. Can we move forward with stabilization? I'm asking because of the version number jump, fwiw. > Thank you, Eray. Can we move forward with stabilization? I'm asking because of
> the version number jump, fwiw.
Some more time for testing would have been nice but yes we should.
Please stabilize =net-mail/cyrus-imapd-2.4.8 and =net-mail/cyrus-imap-admin-2.4.8
(In reply to comment #4) > > Please stabilize =net-mail/cyrus-imapd-2.4.8 and > =net-mail/cyrus-imap-admin-2.4.8 Great, thanks. Arches, please test and mark stable: =net-mail/cyrus-imapd-2.4.8 Target keywords : "amd64 hppa ppc ppc64 sparc x86" =net-mail/cyrus-imap-admin-2.4.8 Target keywords : "amd64 hppa ppc ppc64 sparc x86" a depend, net-fs/openafs-kernel fails for me. With stable version it fails on configure phase, with the last fails in src_compile. I'll paste tomorrow a separate bug. Anyone can confirm? what we do? amd64: have a different outcome here to Agostino's. emerge pulls in dev-perl/Term-ReadLine-Perl-1.03.02 dev-perl/TermReadKey-2.30 net-mail/cyrus-imapd-2.4.8 net-mail/cyrus-imap-admin-2.4.8 No sign of your net-fs/openafs-kernel. All emerged and passed test. All good here. (In reply to comment #7) > have a different outcome here to Agostino's. > No sign of your net-fs/openafs-kernel. amd64box ago # USE="afs kerberos" emerge -av cyrus-imapd * IMPORTANT: 2 news items need reading for repository 'gentoo'. * Use eselect news to read news items. These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ] net-fs/openafs-kernel-1.4.9 0 kB [ebuild N ] sys-apps/keyutils-1.2-r2 0 kB [ebuild N ] dev-tcltk/expect-5.44.1.15 USE="X threads -debug -doc" 0 kB [ebuild N ] dev-util/dejagnu-1.4.4-r3 USE="-doc" 0 kB [ebuild N ] app-crypt/mit-krb5-1.8.3-r5 USE="test -doc -openldap -xinetd" 0 kB [ebuild N ] virtual/krb5-0 0 kB [ebuild N ] net-fs/openafs-1.4.9 USE="kerberos pam -debug -doc" 0 kB [ebuild N ] net-mail/cyrus-imapd-2.4.8 USE="afs kerberos mysql pam postgres sieve sqlite ssl tcpd zlib -nntp -replication -snmp" 0 kB anyway bug 367341 and bug 367343 (In reply to comment #6) > With stable version it fails on configure phase, with the last fails in > src_compile. net-fs/openafs-1.6.0_pre3 seems to work for me. # eix openafs [I] net-fs/openafs Available versions: 1.4.9 (~)1.4.12.1-r2 (~)1.4.14 (~)1.4.14-r1 {M}(~)1.5.34 {M}(~)1.6.0_pre2 {M}(~)1.6.0_pre3 {debug doc kerberos pam} Installed versions: 1.6.0_pre3(12:25:11 05/15/11)(kerberos pam -doc) Homepage: http://www.openafs.org/ Description: The OpenAFS distributed file system [I] net-fs/openafs-kernel Available versions: 1.4.9 (~)1.4.12.1 (~)1.4.14 {M}(~)1.5.34 {M}(~)1.6.0_pre2 {M}(~)1.6.0_pre3 {kernel_linux} Installed versions: 1.6.0_pre3(12:14:06 05/15/11)(kernel_linux) Homepage: http://www.openafs.org/ Description: The OpenAFS distributed file system kernel module # eix cyrus-imapd [I] net-mail/cyrus-imapd Available versions: 2.3.14-r3 (~)2.3.15 (~)2.3.16 (~)2.4.8 {afs idled kerberos kolab mysql nntp pam postgres replication +sieve snmp sqlite ssl tcpd zlib} Installed versions: 2.4.8(14:25:12 05/15/11)(afs kerberos pam sieve ssl tcpd zlib -mysql -nntp -postgres -replication -snmp -sqlite) Homepage: http://www.cyrusimap.org/ Description: The Cyrus IMAP Server. ppc/ppc64 stable (In reply to comment #9) > net-fs/openafs-1.6.0_pre3 seems to work for me. I mean openafs-kernel. So in your paste from eix is installed a masked version, i have opened a new bug and i say does not work for me alla version stable and ~arch in tree net-mail/cyrus-imapd-2.4.8 fails to build here on x86 with USE="-zlib". Bug 367521 (In reply to comment #12) > net-mail/cyrus-imapd-2.4.8 fails to build here on x86 with USE="-zlib". Bug > 367521 Fixed. Thanks for the bug report. Stable for HPPA. amd64 done x86 stable. Thanks Andreas sparc stable Thanks, everyone. GLSA Vote: No. net-mail/cyrus-imap-admin-2.4.8 still has ~sparc and ~x86 (In reply to comment #19) > net-mail/cyrus-imap-admin-2.4.8 still has ~sparc and ~x86 Thanks, Eray. @x86 and @sparc, please stabilize =net-mail/cyrus-imap-admin-2.4.8 too. Thank you. (In reply to comment #20) > Thanks, Eray. @x86 and @sparc, please stabilize > =net-mail/cyrus-imap-admin-2.4.8 too. Thank you. x86 stable 21 May 2011; Raúl Porcel <armin76@gentoo.org> cyrus-imapd-2.4.8.ebuild: sparc stable wrt #365909 (In reply to comment #22) > 21 May 2011; Raúl Porcel <armin76@gentoo.org> cyrus-imapd-2.4.8.ebuild: > sparc stable wrt #365909 @sparc, looks like net-mail/cyrus-imap-admin-2.4.8 needs stabilization, not net-mail/cyrus-imapd-2.4.8. (In reply to comment #23) > (In reply to comment #22) > > 21 May 2011; Raúl Porcel <armin76@gentoo.org> cyrus-imapd-2.4.8.ebuild: > > sparc stable wrt #365909 > > @sparc, looks like net-mail/cyrus-imap-admin-2.4.8 needs stabilization, not > net-mail/cyrus-imapd-2.4.8. Indeed, fixed, thanks Thanks, everyone. GLSA Vote: no (still ;) CVE-2011-1926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1926): The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. Vote: NO. Closing noglsa. Actually closing. |