Summary: | <net-mail/cyrus-imapd-2.4.11 remotely exploitable buffer overflow in nntpd (CVE-2011-3208) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eray Aslan <eras> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.cyrusimap.org/cyrus-imapd/patch/?id=0f8f026699829b65733c3081657b24e2174f4f4d | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Eray Aslan
2011-09-09 07:14:43 UTC
+*cyrus-imapd-2.4.11 (09 Sep 2011) + + 09 Sep 2011; Eray Aslan <eras@gentoo.org> +cyrus-imapd-2.4.11.ebuild: + version bump - security bug #382349 + @security: We should stabilize =net-mail/cyrus-imapd-2.4.11. Thank you. Thanks Eray. Arches, please test and mark stable : =net-mail/cyrus-imapd-2.4.11 target KEYWORDS : "amd64 hppa ppc64 ppc sparc x86" (In reply to comment #0) > If the 'allowanonymouslogin' option was set in > imapd.conf, it could be done without authentication. > Thanks, Eray. Is this option enabled by default? (In reply to comment #3) > Thanks, Eray. Is this option enabled by default? No, it is off by default. amd64: cyrus started ok, package emerged ok. Pass works now, amd64 ok Stable for HPPA. amd64/x86 stable, thanks Ian and Agostino sparc stable ppc/ppc64 stable, last arch done Thanks, folks. Added to existing GLSA request. CVE-2011-3208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3208): Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command. This issue was resolved and addressed in GLSA 201110-16 at http://security.gentoo.org/glsa/glsa-201110-16.xml by GLSA coordinator Tim Sammut (underling). |