Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 79874 - <net-mail/uw-imap-2004b fails to properly authenticate users when using CRAM-MD5
Summary: <net-mail/uw-imap-2004b fails to properly authenticate users when using CRAM-MD5
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-28 10:43 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-06-26 05:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-01-28 10:43:08 UTC
A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.

http://www.kb.cert.org/vuls/id/702777
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-28 14:13:56 UTC
2004c is in portage, just needing to be marked stable.
Arches: please test and mark stable
Comment 2 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-28 14:34:29 UTC
Stable on ppc.
Comment 3 Jason Wever (RETIRED) gentoo-dev 2005-01-29 09:31:54 UTC
Stable on sparc.
Comment 4 Jan Brinkmann (RETIRED) gentoo-dev 2005-01-29 10:19:09 UTC
stable on amd64
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-30 11:44:26 UTC
Stable on alpha.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-31 05:06:38 UTC
Waiting for x86 testing.
Voting for GLSA: I vote YES, this is nasty.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-31 07:05:27 UTC
I vote for a GLSA on this one as well.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-02-01 09:08:00 UTC
ticho: if you tested it please mark stable for x86, we need it to issue the GLSA
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2005-02-01 12:22:27 UTC
sorry for the delay, x86 is there ... 
Comment 10 Andrej Kacian (RETIRED) gentoo-dev 2005-02-01 12:32:34 UTC
tester already marked this stable on x86 (with an invalid changelog entry, I might add). I can confirm that the proble is indeed gone.

Is there any reason not to CC net-mail when a net-mail security bug pops up? I didn't even know about this vulnerability until now.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-02-01 13:31:09 UTC
ticho: the fixed package was already there so we just asked for stable markings. We should have cc-d you anyway, you're right.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-02 05:11:30 UTC
GLSA 200502-02
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:52:48 UTC
Already stable on hppa