Debian Bug report logs -
#627081
STARTTLS plaintext command injection
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 17 May 2011 15:03:05 UTC
Severity: grave
Tags: lenny, security, sid, squeeze
Found in versions cyrus-imapd-2.2/2.2.13-14+lenny3, cyrus-imapd-2.2/2.2.13-19
Fixed in versions 2.2.13-19+squeeze1, cyrus-imapd-2.2/2.2.13-14+lenny4, cyrus-imapd-2.2/2.2.13p1-11
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>:
Bug#627081; Package cyrus-imapd-2.2.
(Tue, 17 May 2011 15:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>.
(Tue, 17 May 2011 15:03:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cyrus-imapd-2.2
Severity: grave
Tags: security
Hi,
I was found out that Cyrus is also vulnerable to the STARTTLS plaintext
command injection vulnerability originally discovered in Postfix:
http://www.kb.cert.org/vuls/id/555316
http://www.postfix.org/CVE-2011-0411.html
Cyrus bug:
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424
Patch:
http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>:
Bug#627081; Package cyrus-imapd-2.2.
(Wed, 18 May 2011 07:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>.
(Wed, 18 May 2011 07:33:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
thanks for heads-up.
I am preparing the security updates for cyrus-imapd-2.2 right now.
Please note that for cyrus-imapd-2.4 this vulnerability was fixed in
upstream 2.4.7.
O.
On Tue, May 17, 2011 at 16:59, Moritz Muehlenhoff
<muehlenhoff@univention.de> wrote:
> Package: cyrus-imapd-2.2
> Severity: grave
> Tags: security
>
> Hi,
> I was found out that Cyrus is also vulnerable to the STARTTLS plaintext
> command injection vulnerability originally discovered in Postfix:
>
> http://www.kb.cert.org/vuls/id/555316
> http://www.postfix.org/CVE-2011-0411.html
>
> Cyrus bug:
> http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424
>
> Patch:
> http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162
>
> Cheers,
> Moritz
>
>
>
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-imapd-debian-devel
>
--
Ondřej Surý <ondrej@sury.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>:
Bug#627081; Package cyrus-imapd-2.2.
(Wed, 18 May 2011 07:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>.
(Wed, 18 May 2011 07:33:07 GMT) (full text, mbox, link).
Bug Marked as fixed in versions cyrus-imapd-2.2/2.2.13p1-11.
Request was from Ondřej Surý <ondrej@sury.org>
to control@bugs.debian.org.
(Thu, 19 May 2011 07:48:03 GMT) (full text, mbox, link).
Bug Marked as found in versions cyrus-imapd-2.2/2.2.13-14+lenny3.
Request was from Ondřej Surý <ondrej@sury.org>
to control@bugs.debian.org.
(Thu, 19 May 2011 07:48:03 GMT) (full text, mbox, link).
Bug Marked as found in versions cyrus-imapd-2.2/2.2.13-19.
Request was from Ondřej Surý <ondrej@sury.org>
to control@bugs.debian.org.
(Thu, 19 May 2011 07:48:04 GMT) (full text, mbox, link).
Added tag(s) sid, squeeze, and lenny.
Request was from Ondřej Surý <ondrej@sury.org>
to control@bugs.debian.org.
(Thu, 19 May 2011 07:48:05 GMT) (full text, mbox, link).
Bug Marked as fixed in versions cyrus-imapd-2.2/2.2.13-14+lenny4.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Fri, 03 Jun 2011 15:45:05 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 2.2.13-19+squeeze1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Fri, 03 Jun 2011 15:45:06 GMT) (full text, mbox, link).
Bug marked as fixed in version 2.2.13p1-11, send any further explanations to Moritz Muehlenhoff <muehlenhoff@univention.de>
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Fri, 03 Jun 2011 15:45:08 GMT) (full text, mbox, link).
Bug 627081 cloned as bug 629350.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2011 20:06:02 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Fri, 10 Jun 2011 01:57:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Fri, 10 Jun 2011 01:57:06 GMT) (full text, mbox, link).
Message #36 received at 627081-close@bugs.debian.org (full text, mbox, reply):
Source: cyrus-imapd-2.2
Source-Version: 2.2.13-19+squeeze1
We believe that the bug you reported is fixed in the latest version of
cyrus-imapd-2.2, which is due to be installed in the Debian FTP archive:
cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
to main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
to main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
to main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 627081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated cyrus-imapd-2.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 18 May 2011 10:15:26 +0200
Source: cyrus-imapd-2.2
Binary: cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 cyrus-pop3d-2.2 cyrus-admin-2.2 cyrus-murder-2.2 cyrus-nntpd-2.2 cyrus-clients-2.2 cyrus-dev-2.2 libcyrus-imap-perl22
Architecture: source all amd64
Version: 2.2.13-19+squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
cyrus-admin-2.2 - Cyrus mail system - administration tools
cyrus-clients-2.2 - Cyrus mail system (test clients)
cyrus-common-2.2 - Cyrus mail system - common files
cyrus-dev-2.2 - Cyrus mail system (developer files)
cyrus-doc-2.2 - Cyrus mail system - documentation files
cyrus-imapd-2.2 - Cyrus mail system - IMAP support
cyrus-murder-2.2 - Cyrus mail system (proxies and aggregator)
cyrus-nntpd-2.2 - Cyrus mail system (NNTP support)
cyrus-pop3d-2.2 - Cyrus mail system - POP3 support
libcyrus-imap-perl22 - Interface to Cyrus imap client imclient library
Closes: 627078 627081
Changes:
cyrus-imapd-2.2 (2.2.13-19+squeeze1) stable-security; urgency=low
.
* Fix infinite loop in case of corrupted index files (Closes: #627078)
* Add gbp.conf to easy future updates
* Fix CVE-2011-1926: STARTTLS plaintext command injection
vulnerability (VU#555316) (Closes: #627081)
Checksums-Sha1:
d33cdf822fbe88949000ac18f13e1403ec52ab76 1952 cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
d36e826271cc2c7ed497a7053b73a2ddbc2e1f44 272651 cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
3db78b61c8e46872e09ce0a5b55461e970b088fa 229340 cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
8dc23c34f14b30e4f6b0b79131251192dc1d6ee6 83476 cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
fe462bd6c07a01a0592955a94d7a4d898f7fbd47 5825038 cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
56b3e0944020bfb1b00a48b95b6828413ccba6f2 960660 cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
c32fba5465cc585d480ff5307447463bfccfbd1c 285904 cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
8811cbb762408879aa51eb144b416563370a46a7 1159580 cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
b172159c2df69461970f91bd6aaf9ab696e9c9c3 620712 cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
53863bbba4f46533aa783aa0404d3b05486651f0 137394 cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
a83fe0ad7b2227618f75d1752ad18c3a6aacade8 274342 cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
880801ecd6c828dce5d69806b0206f7f1cc8cb97 191362 libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
Checksums-Sha256:
3c6c2d744044b0b9dd6f8b2b72ae3597d78ade8c545e1a0ea78d02d81254859d 1952 cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
993bf73a8f7e431c81ceb4d02b58dc47fc0d00e8a463c1d595ccd48c6279b868 272651 cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
7dbbe84fe25fadbf8e3d4759568d728a2c28b4874d93c6ba2cde1b78af54e1c0 229340 cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
3e70283a40ed9331c5b903563c573fcdc4e3d05e398e80a41337e89b04696356 83476 cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
5138508b66988cd140ae9e7cde314cc6e1c8964c18dc9f862fdf6461deeba60a 5825038 cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
9f52b991c771523a51d225a1786702825a892f1d5c14c77db3d923c568a79d80 960660 cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
12ca9d7a80ade816a04523b1f056146aa16da56e8fc72eefc1bd3c3b90c39274 285904 cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
1ca40ce809ec0f33b11c7ff0d6796d99619b6f543e5983fdca4f71266baed344 1159580 cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
da8c20e19ce0744c33c3a7a23b337b01e1506516756e691c8c63419e5d496580 620712 cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
9bebfa903533fc65662a5ceff89e3f477cd36c394fce8b62de06cccb9c5afa70 137394 cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
013d408a74bed09ed0104d6f9bb7aa99806a215210efde6f3d6173dc7aecff86 274342 cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
ec1b04f6d715a341a70cb83a8fa5175bf7fb7b399c9d378f03f55d6b5ad55f22 191362 libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
Files:
956df49f3e4bb8b70b62352803931108 1952 mail extra cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
6c7d14d1a2238f4387f0185b173d6031 272651 mail extra cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
fe2c1f6c1b6b837b29627d701440399a 229340 doc extra cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
b72bd7a6778e4996b447ae2369e6b801 83476 mail extra cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
2d242ed052d3aac38be58070d3c9a598 5825038 mail extra cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
cd1f2a5daa22c5fe43f0a917e9498762 960660 mail extra cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
61dcf51e720acd06d92c8c4e99f56e89 285904 mail extra cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
a992737f3deb10683d409de06d49391f 1159580 mail extra cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
a8930f70ea90bd49f6b1753a3fd37157 620712 mail extra cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
d75c62b1f17f9edf5b576e4dc3725218 137394 mail extra cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
97d29466223c9d2943f9a0b8cc99f517 274342 devel extra cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
6cbdb5b0f65a423809aae7dc1f2a5507 191362 perl extra libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk3TkvUACgkQ9OZqfMIN8nMGGACgg0D+ZmZGAWGxz95hgS4BOpeJ
o9QAnRSQa4yVxK9Ni283o+ZTeqivsDtZ
=Ze5D
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 08 Jul 2011 07:38:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:02:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon