Sicherheit: Mehrere Probleme in cyrus-imapd
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in cyrus-imapd
ID: FEDORA-2005-339
Distribution: Fedora
Plattformen: Fedora Core 3
Datum: Do, 28. April 2005, 13:00
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0546
Applikationen: Cyrus IMAP Server


Fedora Update Notification

Product : Fedora Core 3
Name : cyrus-imapd
Version : 2.2.12
Release : 1.1.fc3
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.

A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in. The mailbox
database is stored in parts of the filesystem that are private to the
Cyrus IMAP server. All user access to mail is through software using
the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for

Update Information:

Several buffer overflow bugs were found in cyrus-imapd. It is possible that
an authenticated malicious user could cause the imap server to crash.
Additionally, a peer news admin could potentially execute arbitrary code on
the imap server when news is received using the fetchnews command. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0546 to this issue.

In addition this version of the rpm contains a collection of other
fixes since the last FC3 update (see below changelog).

>>>>>>>>>>>> IMPORTANT NOTE FOR X86_64
INSTALLATION <<<<<<<<<<<<

This rpm also fixes bug #156121 that incorrectly placed some
executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit
libraries and this caused problems for existing scripts that expected
to find them in a canonical location (/usr/lib/cyrus-imapd) and
violated the multilib packaging guidelines. Only references external to
the cyrus-imapd package are affected by this, the rpm is self
consistent. The most notable example is /usr/lib64/cyrus-impad/deliver
which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged
in preference to deliver). This change only affects x86_64

* Mon Apr 4 2005 John Dennis <jdennis@redhat.com> - 2.2.12-1.1.fc3

- bring up to 2.2.12, fixes security CAN-2005-0546

* Mon Feb 14 2005 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.12
- updated autocreate and autosievefolder patches

* Sat Feb 5 2005 Simon Matter <simon.matter@invoca.ch>

- updated autosievefolder patch

* Tue Feb 1 2005 Simon Matter <simon.matter@invoca.ch>

- remove special ownership and permissions from deliver
- enable deliver-wrapper per default
- enable OutlookExpress seenstate patch per default

* Wed Jan 19 2005 Simon Matter <simon.matter@invoca.ch>

- updated autocreate patch

* Fri Jan 14 2005 Simon Matter <simon.matter@invoca.ch>

- spec file cleanup

* Tue Jan 11 2005 Simon Matter <simon.matter@invoca.ch>

- updated autocreate patch

* Fri Jan 7 2005 Simon Matter <simon.matter@invoca.ch>

- moved contrib dir into doc, made scripts not executable

* Thu Jan 6 2005 Simon Matter <simon.matter@invoca.ch>

- added more fixes to the autocreate patch
- don't use /usr/lib for /usr/lib/cyrus-imapd, it's a mess on x86_64
- don't use /usr/lib for symlinks
- remove /usr/lib pachtes
- change pam configs to work on x86_64
- changed default build option for IDLED to on
- changed rpm_set_permissions to honor partitions in /etc/imapd.conf

* Tue Jan 4 2005 Simon Matter <simon.matter@invoca.ch>

- updated autocreate patch

* Mon Dec 20 2004 Simon Matter <simon.matter@invoca.ch>

- remove idled docs when disabled, fixes RedHat's bug #142345

* Fri Dec 17 2004 Simon Matter <simon.matter@invoca.ch>

- removed allnumeric patch, not needed anymore
- made groupcache a compile time option
- rename nntp's pam service, fixes RedHat's bug #142672

* Thu Dec 16 2004 Simon Matter <simon.matter@invoca.ch>

- updated groupcache patch
- updated cvt_cyrusdb_all to use runuser instead of su if available
- added upd_groupcache tool

* Wed Dec 15 2004 Simon Matter <simon.matter@invoca.ch>

- added groupfile patch to help those using nss_ldap

This update can be downloaded from:

36cea34d82e4e8f127b0acd6aef20522 SRPMS/cyrus-imapd-2.2.12-1.1.fc3.src.rpm
7d86ca50692b8fb8174a9ba77577516b x86_64/cyrus-imapd-2.2.12-1.1.fc3.x86_64.rpm
17b55f1ed6883ac2c2e984b68d3110b6 x86_64/perl-Cyrus-2.2.12-1.1.fc3.x86_64.rpm
71c9bd8df0da6beb33c7593285575b34 i386/cyrus-imapd-2.2.12-1.1.fc3.i386.rpm
90bd0b98c63d2c9ec44b3c66933c613a i386/cyrus-imapd-nntp-2.2.12-1.1.fc3.i386.rpm
5c097ebe78767a241b4617e8e945b95b i386/perl-Cyrus-2.2.12-1.1.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.

John Dennis <jdennis@redhat.com>

fedora-announce-list mailing list
Neue Nachrichten