GLSA: cyrus-imapd

[Daniel Ahlberg <aliz () gentoo org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200212-11
- - --------------------------------------------------------------------

PACKAGE : cyrus-imapd
SUMMARY : buffer overflows
DATE    : 2002-12-27 23:12 UTC
EXPLOIT : remote

- - --------------------------------------------------------------------

- From first advisory:

"Cyrus' Sieve implementation contains a couple of classic string based
buffer overflows in script parsing code. Anyone who can execute Sieve
scripts can exploit these bugs. Versions up to libSieve 2.1.2 and 
Cyrus IMAP 2.1.10 are affected."

- From second advisory:

"Cyrus IMAP server has a a remotely exploitable pre-login buffer 
overflow. I checked versions 1.4 (oldest in web page) and 2.1.10 which 
both had it, so apparently all versions are affected."

Read the full advisories at
http://marc.theaimsgroup.com/?l=bugtraq&m=103886433123554&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=103886607825605&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/cyrus-imapd-2.1.9-r1 update their systems as follows:

emerge rsync
emerge cyrus-imapd
emerge clean

If you have cyrus-imap-dev-2.1.9-r1 and/or cyrus-imap-admin-2.1.9 
installed you need to update those aswell:

emerge cyrus-imap-dev 
and/or
emerge cyrus-imap-admin

- - --------------------------------------------------------------------
aliz () gentoo org - GnuPG key is available at www.gentoo.org/~aliz
raker () gentoo org
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+DN/XfT7nyhUpoZMRAnosAJ9ybx65sWEPnEAKTEJPWt+qJHCUnACcCZ1P
0ZZp3kf9GTFH5VJVHgDMeoc=
=0nzQ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html