Support / Sécurité / Annonces de sécurité / Mandriva Enterprise Server 5 / MDVSA-2011:100

Nom du paquet: cyrus-imapd
Date: 2011-05-24
Advisory ID: MDVSA-2011:100
Affected versions: 2009.0 x86_64 , MES5 i586 , 2010.1 i586 , 2009.0 i586 , CS4.0 i586 , CS4.0 x86_64 , MES5 x86_64 , 2010.1 x86_64

Problem description

A vulnerability has been identified and fixed in cyrus-imapd:

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does
not properly restrict I/O buffering, which allows man-in-the-middle
attackers to insert commands into encrypted sessions by sending a
cleartext command that is processed after TLS is in place, related to
a plaintext command injection attack, a similar issue to CVE-2011-0411
(CVE-2011-1926).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 9c80de09df788a63bcaff8dbac7ae51e  2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 83839c1d5e23260b3b9568f67d9263bb  2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 7eba11d541e46f84274455f4e2e73783  2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 6dd7cba369978b229826fbadb52c6281  2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 55d2a884babf37537c0893410be5999e  2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm
 c517ce121ead39692cbc5d3e6d0bd035  2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 
 6f396249a59b1f73d015102ce85b70ed  2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm

MES5 i586

 44ccd362ff4536d279c6bc766fdde321  mes5/i586/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 dad6eac600091c4da1d8faebfa1e82b8  mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 3fece92c479e94610d82c590530af616  mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 c3d98ddbedac750bf27eec165c5b5902  mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 3275d942a0be02ca5c5810e181dcd518  mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm
 9b75bc3f9437bd461e8ad8e057be1f39  mes5/i586/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm 
 797d5d4a98b15d89a16b60b13a9782fc  mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm

2010.1 i586

 a1424b6d2116c8d04ddf599d47d0066c  2010.1/i586/cyrus-imapd-2.3.15-10.2mdv2010.2.i586.rpm
 979e2a7916c2169592188d798fc9afc3  2010.1/i586/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.i586.rpm
 d8220c9ae8b12aba911d1ca3c1d8d9bc  2010.1/i586/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.i586.rpm
 da26c65b19ea37a05423367287914a1d  2010.1/i586/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.i586.rpm
 bd15ad1797b25046fa1f5fc6223041a3  2010.1/i586/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.i586.rpm
 202641315ef7e281b0ac9d49b41dc5b2  2010.1/i586/perl-Cyrus-2.3.15-10.2mdv2010.2.i586.rpm 
 907ddfe3b1ca22885fd437edc7f38a54  2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm

2009.0 i586

 498d5b68bb40c8f647ee02665beb3646  2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 52718b5cd0166f62fa15bf6f4ec65d56  2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 34e7b7a7cd5f7cad2dc6e068164b0fdc  2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 33e98b4e6bcf6ce9dd16e44b0ca75701  2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 9a3803b65facdf6f35b6d9056ce79a47  2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.i586.rpm
 37252ed6cfb44699178c1beef4db9e9b  2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 
 6f396249a59b1f73d015102ce85b70ed  2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm

CS4.0 i586

 45c23a293396522a89503b10a8f5db1f  corporate/4.0/i586/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 91eb948568050fabe11c6eb55b90a26e  corporate/4.0/i586/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 5a8b99fe60f67a158a1610cfb85fdc79  corporate/4.0/i586/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 87eeee87f8777f16f210c8364f107ba0  corporate/4.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 0b802cff2c75731783dde8bafde043ee  corporate/4.0/i586/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm
 d27c5d8a57ea4adcf29c252c74a95720  corporate/4.0/i586/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm 
 ade0c37e3e36d2504f9700cd94f2dc74  corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm

CS4.0 x86_64

 1f5cae7f38de7492414d31226ba2676e  corporate/4.0/x86_64/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 21189c14023ad6edcf7433a0932caf59  corporate/4.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 c862cf5ed064b9bb28523d87f1077920  corporate/4.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 d501b94549efb93571eef10f352fd795  corporate/4.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 9aa31a3991d96607132fec6250501fa4  corporate/4.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm
 b29f43dbabf91ad0373da71e5c2def91  corporate/4.0/x86_64/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm 
 ade0c37e3e36d2504f9700cd94f2dc74  corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm

MES5 x86_64

 64262442694df3a279c20ff7fbcc2588  mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 f638482001851e8356435b9cdca935d8  mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 f8039806879ebd5dc67b3bf5640b82a5  mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 3f746817849822daf1271b5357d5fe84  mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 ea74bb4cd9bb9734ffd16f30fe77fb0d  mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm
 1a21b438502b53ce5121608a2e95450e  mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm 
 797d5d4a98b15d89a16b60b13a9782fc  mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm

2010.1 x86_64

 98084c7318761c7e716c9704b41599df  2010.1/x86_64/cyrus-imapd-2.3.15-10.2mdv2010.2.x86_64.rpm
 fe1845c0fb1f518b7b4589e59eb522dd  2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.x86_64.rpm
 ff61a5b78885d513be547c5d3abe5e5b  2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.x86_64.rpm
 8b77e0f150e904d529c9742ee6531619  2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.x86_64.rpm
 2c51ef5a91da31245b8b12dcbdd1af84  2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.x86_64.rpm
 b26c3480fa743eef4a9241b1be75cf91  2010.1/x86_64/perl-Cyrus-2.3.15-10.2mdv2010.2.x86_64.rpm 
 907ddfe3b1ca22885fd437edc7f38a54  2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1926