Kolab Security Issue 24 20091002 (imapd)

Thomas Arendsen Hein thomas at intevation.de
Fri Oct 2 12:53:26 CEST 2009


Kolab Security Issue 24 20091002
================================

Package:              Kolab Server, Cyrus IMAP Server
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus
IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that
may be triggered by a specially crafted SIEVE script. To install this type of
script, the attacker would need to have direct access to a mail account on the
server.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of Cyrus IMAP Server up to version 2.3.14
Kolab Server 2.2.2 and previous releases are affected.


Fix
~~~

Upgrade Cyrus IMAP Server to imapd-2.3.13-20081020_kolab3, which
includes a patch to fix the problem.

OpenPKG packages for Kolab Server 2.2.2 are available from
http://files.kolab.org/server/security-updates/20091002/
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny)
is available as imapd-2.3.13-20081020_kolab3.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch)
is available as imapd-2.3.13-20081020_kolab3.ix86-debian4.0-kolab.rpm

Above source and binary packages have been verified to work with Kolab
Server 2.2.0, so you can upgrade the imapd package without doing a full
upgrade.

All other server versions: Please upgrade to Kolab Server 2.2.x and install
the updated imapd package.


You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 5816791A
  or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS


The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild --define 'with_fsl yes' --define 'with_group yes' \
  --define 'with_group_igncase yes' --define 'with_atvdom yes' \
  --define 'with_ldap yes' --define 'with_annotate yes' \
  --define 'with_morelogging yes' --define 'with_kolab yes' \
  --define 'with_kolab_nocaps yes' \
  ...path/to.../imapd-2.3.13-20081020_kolab3.src.rpm
$ openpkg rpm \
  -Uvh /kolab/RPM/PKG/imapd-2.3.13-20081020_kolab3.<ARCH>-<OS>-kolab.rpm

To install a binary package, just skip the rebuild step:

# su - kolab
$ openpkg rpm \
  -Uvh ...path/to.../imapd-2.3.13-20081020_kolab3.<ARCH>-<OS>-kolab.rpm

Alternatively you can copy or symlink all source and binary rpms and
install-kolab.sh of your current installation and the source rpm of this
security advisory into a new directory and follow the instructions below
"Generating your own 00INDEX.rdf for installations or upgrades" in
1st.README to generate a new installer which can be used to compile and
install the new package without having to specify the "--define" options.


Details
~~~~~~~

http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html
	Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.67&r2=1.68
	Upstream patch for src/sieve/script.c by Bron Gondwana

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2632
	CVE-2009-2632


Timeline
~~~~~~~~
    20090909 Cyrus IMAPd 2.2.13p1 & 2.3.15 released.
    20090922 Fix available via Kolab CVS, started testing.
    20091002 Kolab Server security advisory published.

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
... and we need a dozen cans of tuna
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20091002/66c13e21/attachment.sig>


More information about the users mailing list