From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1881-1
[email protected] http://www.debian.org/security/ Nico Golde September 7th, 2009
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : cyrus-imapd-2.2
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : none assigned yet
It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof() operator an attacker is able to pass a negative length to snprintf() calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system.
For the oldstable distribution (etch), this problem has been fixed in
version 2.2.13-10+etch2.
For the stable distribution (lenny), this problem has been fixed in
version 2.2.13-14+lenny1.
For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.
We recommend that you upgrade your cyrus-imapd-2.2 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2.diff.gz
Size/MD5 checksum: 258553 dcbaf7e6c1f9ce896d2b2e75215797bd
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2.dsc
Size/MD5 checksum: 1298 7eac896a46888f98ab76fd6287c5eb2f
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13.orig.tar.gz
Size/MD5 checksum: 2109770 3ff679714836d1d7b1e1df0e026d4844
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-10+etch2_all.deb
Size/MD5 checksum: 226846 45903c38c5442ab0bc393b09a374d28c
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-10+etch2_all.deb
Size/MD5 checksum: 80188 0fee8aa188fca06ca24f905e437f3621
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 1207538 1c4cc5eb3f83d0586e9ac3d7f0881a32
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 1007132 7bcdb4a2bf9aff702bfa0ebb9708bc56
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 138358 acdcfa535f091c083e3c10136c033958
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 197654 f7305fa014e8b137efbc8e6dad92bd81
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 649710 46733c9a34e7df4ef49a91037f6e667d
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 302254 ff005ebe300d0b94233c335300ed7f51
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 297038 0c57dae1e59453a42263338c8d4fb4bf
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum: 6053052 0a5c3aaaf6774d38e4d016f207996d39
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 612176 81da459bcdf3a79aeeb6db27ecdd8497
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 132766 371d24b4e829b8f76795b209efdde682
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 184892 60763da463da9578deea8a4eb73e5ccf
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 270150 2f4de9d10caf4904692cc69714f91a4a
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 944062 22a44fea5b208b74dc1bd65bfd9698c6
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 282322 7fe526f08b1ec1841f78b01f0a260552
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 1143778 526cabf2a03e5ddf8887dee32874d9cc
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum: 5724502 d2928b12c103294c4c6a2eb690720abc
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch2_arm.deb
Size/MD5 checksum: 128294 a2febef3ad9a2b403755790001f700dd
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-10+etch2_arm.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)