[PLDSA 34-1] New cyrus-imap packages fix remote command execution
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 15:42:36 CEST 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 34-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
05 March 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to cyrus-imap-2.0.16-10
Vulnerability : buffer overflow
Problem-Type : remote
PLD-specific : no
BugTraq ID : 4713
CVE references : CAN-2002-0379
CERT advisory : VU#740169
Timo Sirainen discovered a buffer overflow in the Cyrus IMAP server,
which could be exploited by a remote attacker prior to logging in. A
malicious user could craft a request to run commands on the server under
the UID and GID of the cyrus server.
The above problems have been fixed in version 2.0.17-1 for the
current stable distribution (ra).
We recommend that you upgrade your cyrus-imap packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'cyrus-imap*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'cyrus-imap*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/cyrus-imapd-2.0.17-1.src.rpm
MD5 checksum: 4b94f6349daf1f533dd9a6236321f90e
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cyrus-imapd-2.0.17-1.i386.rpm
MD5 checksum: 1048a67a57e83c4754da03b2ace505b2
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cyrus-imapd-devel-2.0.17-1.i386.rpm
MD5 checksum: 18d31e1159d5f9520ff18041a33466d1
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/cyrus-imapd-static-2.0.17-1.i386.rpm
MD5 checksum: 541c5e4b10ff3ca18c8578f6ef6d5faa
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-cyrus-imapd-2.0.17-1.i386.rpm
MD5 checksum: f2bea18117260af08d6438cb7e52fb84
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cyrus-imapd-2.0.17-1.i586.rpm
MD5 checksum: ed7747e0510b255dc7dce6b7b332c473
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cyrus-imapd-devel-2.0.17-1.i586.rpm
MD5 checksum: f3cf0b1874b06d5adcb23f08c7b81229
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/cyrus-imapd-static-2.0.17-1.i586.rpm
MD5 checksum: 029e40a705a0bf75cc2ba1ce32f77ea1
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-cyrus-imapd-2.0.17-1.i586.rpm
MD5 checksum: a9d473e0d4c190700eeb5177c1c0cce0
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cyrus-imapd-2.0.17-1.i686.rpm
MD5 checksum: 519bd80b564c00f13eb07ea651452990
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cyrus-imapd-devel-2.0.17-1.i686.rpm
MD5 checksum: 5a3236e3ce204c3db39326392dcdc48b
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/cyrus-imapd-static-2.0.17-1.i686.rpm
MD5 checksum: b02c93ebd088b615feffee4252029832
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-cyrus-imapd-2.0.17-1.i686.rpm
MD5 checksum: c7ca3cf50f9628a3816645d773474b5f
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cyrus-imapd-2.0.17-1.ppc.rpm
MD5 checksum: f3bd6e8a12f3692c7a80edc34f26d5bc
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cyrus-imapd-devel-2.0.17-1.ppc.rpm
MD5 checksum: 486865f3d12de893313aa2e40a1cf7cf
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/cyrus-imapd-static-2.0.17-1.ppc.rpm
MD5 checksum: fbf0dcf0c797665c84cd47088542af6d
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/perl-cyrus-imapd-2.0.17-1.ppc.rpm
MD5 checksum: b7685fe5c16dab3c8252aa5f432c7416
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list