Kolab Security Issue 24 20091002 (imapd)
Thomas Arendsen Hein
thomas at intevation.de
Fri Oct 2 12:53:26 CEST 2009
Kolab Security Issue 24 20091002
================================
Package: Kolab Server, Cyrus IMAP Server
Vulnerability: various
Kolab Specific: no
Dependent Packages: none
Summary
~~~~~~~
The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus
IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that
may be triggered by a specially crafted SIEVE script. To install this type of
script, the attacker would need to have direct access to a mail account on the
server.
Affected Versions
~~~~~~~~~~~~~~~~~
This affects versions of Cyrus IMAP Server up to version 2.3.14
Kolab Server 2.2.2 and previous releases are affected.
Fix
~~~
Upgrade Cyrus IMAP Server to imapd-2.3.13-20081020_kolab3, which
includes a patch to fix the problem.
OpenPKG packages for Kolab Server 2.2.2 are available from
http://files.kolab.org/server/security-updates/20091002/
or from the mirrors listed on http://kolab.org/mirrors.html
A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny)
is available as imapd-2.3.13-20081020_kolab3.ix86-debian5.0-kolab.rpm
A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch)
is available as imapd-2.3.13-20081020_kolab3.ix86-debian4.0-kolab.rpm
Above source and binary packages have been verified to work with Kolab
Server 2.2.0, so you can upgrade the imapd package without doing a full
upgrade.
All other server versions: Please upgrade to Kolab Server 2.2.x and install
the updated imapd package.
You can check the integrity of the downloaded files with:
$ gpg --keyserver keys.gnupg.net --recv-key 5816791A
or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS
The source package can be compiled and installed on your Kolab Server with:
# su - kolab
$ openpkg rpm --rebuild --define 'with_fsl yes' --define 'with_group yes' \
--define 'with_group_igncase yes' --define 'with_atvdom yes' \
--define 'with_ldap yes' --define 'with_annotate yes' \
--define 'with_morelogging yes' --define 'with_kolab yes' \
--define 'with_kolab_nocaps yes' \
...path/to.../imapd-2.3.13-20081020_kolab3.src.rpm
$ openpkg rpm \
-Uvh /kolab/RPM/PKG/imapd-2.3.13-20081020_kolab3.<ARCH>-<OS>-kolab.rpm
To install a binary package, just skip the rebuild step:
# su - kolab
$ openpkg rpm \
-Uvh ...path/to.../imapd-2.3.13-20081020_kolab3.<ARCH>-<OS>-kolab.rpm
Alternatively you can copy or symlink all source and binary rpms and
install-kolab.sh of your current installation and the source rpm of this
security advisory into a new directory and follow the instructions below
"Generating your own 00INDEX.rdf for installations or upgrades" in
1st.README to generate a new installer which can be used to compile and
install the new package without having to specify the "--define" options.
Details
~~~~~~~
http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html
Cyrus IMAPd 2.2.13p1 & 2.3.15 Released
https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.67&r2=1.68
Upstream patch for src/sieve/script.c by Bron Gondwana
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2632
CVE-2009-2632
Timeline
~~~~~~~~
20090909 Cyrus IMAPd 2.2.13p1 & 2.3.15 released.
20090922 Fix available via Kolab CVS, started testing.
20091002 Kolab Server security advisory published.
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
... and we need a dozen cans of tuna
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20091002/66c13e21/attachment.sig>
More information about the users
mailing list