[Kolab-announce] Kolab Security Issue 24 20091002 (imapd)

Thomas Arendsen Hein thomas at intevation.de
Fri Oct 2 12:53:26 CEST 2009

Kolab Security Issue 24 20091002

Package:              Kolab Server, Cyrus IMAP Server
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus
IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that
may be triggered by a specially crafted SIEVE script. To install this type of
script, the attacker would need to have direct access to a mail account on the

Affected Versions

This affects versions of Cyrus IMAP Server up to version 2.3.14
Kolab Server 2.2.2 and previous releases are affected.


Upgrade Cyrus IMAP Server to imapd-2.3.13-20081020_kolab3, which
includes a patch to fix the problem.

OpenPKG packages for Kolab Server 2.2.2 are available from
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny)
is available as imapd-2.3.13-20081020_kolab3.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch)
is available as imapd-2.3.13-20081020_kolab3.ix86-debian4.0-kolab.rpm

Above source and binary packages have been verified to work with Kolab
Server 2.2.0, so you can upgrade the imapd package without doing a full

All other server versions: Please upgrade to Kolab Server 2.2.x and install
the updated imapd package.

You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 5816791A
  or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS

The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild --define 'with_fsl yes' --define 'with_group yes' \
  --define 'with_group_igncase yes' --define 'with_atvdom yes' \
  --define 'with_ldap yes' --define 'with_annotate yes' \
  --define 'with_morelogging yes' --define 'with_kolab yes' \
  --define 'with_kolab_nocaps yes' \
$ openpkg rpm \
  -Uvh /kolab/RPM/PKG/imapd-2.3.13-20081020_kolab3.<ARCH>-<OS>-kolab.rpm

To install a binary package, just skip the rebuild step:

# su - kolab
$ openpkg rpm \
  -Uvh ...path/to.../imapd-2.3.13-20081020_kolab3.<ARCH>-<OS>-kolab.rpm

Alternatively you can copy or symlink all source and binary rpms and
install-kolab.sh of your current installation and the source rpm of this
security advisory into a new directory and follow the instructions below
"Generating your own 00INDEX.rdf for installations or upgrades" in
1st.README to generate a new installer which can be used to compile and
install the new package without having to specify the "--define" options.


	Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

	Upstream patch for src/sieve/script.c by Bron Gondwana


    20090909 Cyrus IMAPd 2.2.13p1 & 2.3.15 released.
    20090922 Fix available via Kolab CVS, started testing.
    20091002 Kolab Server security advisory published.

thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
... and we need a dozen cans of tuna
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/announce/attachments/20091002/66c13e21/attachment.sig>

More information about the announce mailing list