Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385729 (CVE-2011-3372) - <net-mail/cyrus-imapd-2.4.12 multiple vulnerabilities (CVE-2011-3372)
Summary: <net-mail/cyrus-imapd-2.4.12 multiple vulnerabilities (CVE-2011-3372)
Alias: CVE-2011-3372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 386233 (view as bug list)
Depends on:
Reported: 2011-10-05 12:13 UTC by Agostino Sarubbo
Modified: 2012-02-21 03:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-05 12:13:24 UTC
From secunia security advisor at $URL:

The vulnerability is caused due to an error within the authentication mechanism of the NNTP server, which can be exploited to bypass the authentication process and execute commands intended for authenticated users by sending an "AUTHINFO USER" command without a following "AUTHINFO PASS" command.

The vulnerability is confirmed in version 2.4.10 and 2.4.11. Prior versions may also be affected.

Apply patch or update to version 2.4.12.
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-05 12:16:01 UTC
Please bump 2.4.12 or here[1] is the patch.

Comment 2 Eray Aslan gentoo-dev 2011-10-06 11:22:15 UTC
+*cyrus-imapd-2.4.12 (06 Oct 2011)
+  06 Oct 2011; Eray Aslan <> +cyrus-imapd-2.4.12.ebuild:
+  version bump - security bug #385729. Add back sieve USE flag - bug #382389

@security:  We can stabilize =net-mail/cyrus-imapd-2.4.12.  Thank you.
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-06 12:35:39 UTC
(In reply to comment #2)
> @security:  We can stabilize =net-mail/cyrus-imapd-2.4.12.  Thank you.

Thanks Eras.

Arches, please test and mark stable: 


target KEYWORDS : "amd64 hppa ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-06 12:54:02 UTC
amd64 ok
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-10-06 19:06:32 UTC
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2011-10-06 20:00:22 UTC
Thanks, guys

+  06 Oct 2011; Steve Dibb <> cyrus-imapd-2.4.12.ebuild:
+  amd64 stable, security bug 385729
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 00:56:49 UTC
CVE-2011-3481 (
  The index_get_ids function in index.c in imapd in Cyrus IMAP Server before
  2.4.11, when server-side threading is enabled, allows remote attackers to
  cause a denial of service (NULL pointer dereference and daemon crash) via a
  crafted References header in an e-mail message.
Comment 8 Agostino Sarubbo gentoo-dev 2011-10-08 10:15:13 UTC
*** Bug 386233 has been marked as a duplicate of this bug. ***
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-10-08 18:15:53 UTC
sparc stable
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-08 19:33:40 UTC
x86 stable
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-09 18:22:50 UTC
ppc/ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-11 19:04:24 UTC
Stable for HPPA.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-10-11 19:06:08 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-11 19:56:48 UTC
Vote: YES. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 04:34:18 UTC
This issue was resolved and addressed in
 GLSA 201110-16 at
by GLSA coordinator Tim Sammut (underling).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 03:56:13 UTC
CVE-2011-3372 (
  imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12
  allows remote attackers to bypass authentication by sending an AUTHINFO USER
  command without sending an additional AUTHINFO PASS command.