Summary: | <net-mail/cyrus-imapd-2.4.12 multiple vulnerabilities (CVE-2011-3372) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | n0idx80, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/46093/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-10-05 12:13:24 UTC
Please bump 2.4.12 or here[1] is the patch. [1]: http://git.cyrusimap.org/cyrus-imapd/patch/?id=77903669e04c9788460561dd0560b9c916519594 +*cyrus-imapd-2.4.12 (06 Oct 2011) + + 06 Oct 2011; Eray Aslan <eras@gentoo.org> +cyrus-imapd-2.4.12.ebuild: + version bump - security bug #385729. Add back sieve USE flag - bug #382389 + @security: We can stabilize =net-mail/cyrus-imapd-2.4.12. Thank you. (In reply to comment #2) > @security: We can stabilize =net-mail/cyrus-imapd-2.4.12. Thank you. Thanks Eras. Arches, please test and mark stable: =net-mail/cyrus-imapd-2.4.12 target KEYWORDS : "amd64 hppa ppc ppc64 sparc x86" amd64 ok ditto Thanks, guys + 06 Oct 2011; Steve Dibb <beandog@gentoo.org> cyrus-imapd-2.4.12.ebuild: + amd64 stable, security bug 385729 CVE-2011-3481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3481): The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message. *** Bug 386233 has been marked as a duplicate of this bug. *** sparc stable x86 stable ppc/ppc64 stable Stable for HPPA. Thanks, everyone. GLSA Vote: yes. Vote: YES. GLSA request filed. This issue was resolved and addressed in GLSA 201110-16 at http://security.gentoo.org/glsa/glsa-201110-16.xml by GLSA coordinator Tim Sammut (underling). CVE-2011-3372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3372): imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command. |