From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1893-1
[email protected] http://www.debian.org/security/ Giuseppe Iuculano September 23, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Packages : cyrus-imapd-2.2 kolab-cyrus-imapd
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2009-2632 CVE-2009-3235
Debian Bug : 547712
It was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer
overflow when processing SIEVE scripts.
This can be used to elevate privileges to the cyrus system user. An
attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the
system. The update introduced by DSA 1881-1 was incomplete and the issue
has been given an additional CVE id due to its complexity.
For the oldstable distribution (etch), this problem has been fixed in
version 2.2.13-10+etch4 for cyrus-imapd-2.2 and version 2.2.13-2+etch2
for kolab-cyrus-imapd.
For the stable distribution (lenny), this problem has been fixed in
version 2.2.13-14+lenny3 for cyrus-imapd-2.2, version 2.2.13-5+lenny2
for kolab-cyrus-imapd.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.2.13-15 for cyrus-imapd-2.2, and will be fixed soon for kolab-cyrus-imapd.
We recommend that you upgrade your cyrus-imapd-2.2 and kolab-cyrus-imapd packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch4.dsc
Size/MD5 checksum: 1299 b371ba64f70b734a7e04278a07b658c0
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-2+etch2.diff.gz
Size/MD5 checksum: 252652 06c66325dec89de63edebe4a8d341fc3
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch4.diff.gz
Size/MD5 checksum: 259034 12fa685cbc3813af110f32cc5ba67c91
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-2+etch2.dsc
Size/MD5 checksum: 1268 b6da236eb5a15b71c99c8b5a6713e397
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13.orig.tar.gz
Size/MD5 checksum: 2109770 3ff679714836d1d7b1e1df0e026d4844
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-10+etch4_all.deb
Size/MD5 checksum: 225914 a9c3ac8f09e0cd606a7aedf8b4d77b40
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-10+etch4_all.deb
Size/MD5 checksum: 79758 376ec7d4f6ca891a62f9be25ff9bb79f
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-admin_2.2.13-2+etch2_all.deb
Size/MD5 checksum: 81750 156e70e89554d0c4308d990b3272ddbe
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 1207536 7e21de3c6a90c4dd0d8feaffb891964d
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-libcyrus-imap-perl_2.2.13-2+etch2_alpha.deb
Size/MD5 checksum: 201192 da9469c2257b2143fb3031764201b917
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 197754 03db8471480fdce9f2b352c388a1e954
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 1007134 043146ba011a652ecc5a8688c4289720
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 138484 afd988d01950fd15792dafe8fcae06b1
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 302250 7e9266e2d116452194d641cb91e19e11
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-common_2.2.13-2+etch2_alpha.deb
Size/MD5 checksum: 6056296 5cbf490d8c53254af07a01504bb4f199
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 649714 b1e52d11d79f3c8f4f756cee54d51bbe
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-pop3d_2.2.13-2+etch2_alpha.deb
Size/MD5 checksum: 297242 1342731f2f235c3d27be9e01d089de5b
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 6053294 e1b86465256d695f5c5ea17460489f1e
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-2+etch2_alpha.deb
Size/MD5 checksum: 1008310 747da5b2657c2a693ab488716747f4ba
http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-clients_2.2.13-2+etch2_alpha.deb
Size/MD5 checksum: 139856 a77454b5a947ae28c9bf7572e7173b7f
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-10+etch4_alpha.deb
Size/MD5 checksum: 297046 03608bd5e173cb30f6030cd45e48c71b
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-10+etch4_amd64.deb
Size/MD5 checksum: 282878 30b2a19ada0c6947327e08a8e65483c9
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)