Summary: | <net-mail/cyrus-imapd-{3.0.16, 3.4.2}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | joost, maintainer-needed, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 816903 | ||
Bug Blocks: |
Description
John Helmert III
2021-06-23 23:33:37 UTC
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. CVE-2021-33582: Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05e63664ed98b45a24cb6cccac4c284ade728b4b commit 05e63664ed98b45a24cb6cccac4c284ade728b4b Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-16 01:14:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-16 01:17:35 +0000 net-mail/cyrus-imapd: add 3.4.2 Bug: https://bugs.gentoo.org/798111 Signed-off-by: Sam James <sam@gentoo.org> net-mail/cyrus-imapd/Manifest | 1 + net-mail/cyrus-imapd/cyrus-imapd-3.4.2.ebuild | 233 ++++++++++++++++++++++++++ profiles/base/package.use.force | 6 - 3 files changed, 234 insertions(+), 6 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab88c8d3cfc31a6c437eef0ec4321728fff65ef commit 8ab88c8d3cfc31a6c437eef0ec4321728fff65ef Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-16 01:14:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-16 01:17:34 +0000 net-mail/cyrus-imapd: add 3.0.16 Bug: https://bugs.gentoo.org/798111 Signed-off-by: Sam James <sam@gentoo.org> net-mail/cyrus-imapd/Manifest | 1 + net-mail/cyrus-imapd/cyrus-imapd-3.0.16.ebuild | 230 +++++++++++++++++++++++++ 2 files changed, 231 insertions(+) Please cleanup @ajak After rerun, the testsuite failed for ppc64, so I reverted the stable for ppc64 (so we still wait for stable to cleanup) (In reply to Arthur Zamarin from comment #11) > @ajak > After rerun, the testsuite failed for ppc64, so I reverted the stable for > ppc64 (so we still wait for stable to cleanup) No worries! Portage tree only contains version "3.4.5-r1" I think this can be closed? (In reply to J. Roeleveld from comment #13) > Portage tree only contains version "3.4.5-r1" > I think this can be closed? No, the security team still needs to decide whether to publish a GLSA for this issue. (Yes, we are behind but currently working on the backlog). |