[SECURITY] [DSA 2242-1] cyrus-imapd-2.2 security update

2011-05-2519:56:25

lists.debian.org

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

5.9 Medium

AI Score

Confidence

Low

0.011 Low

EPSS

Percentile

84.3%

JSON

Debian Security Advisory DSA-2242-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
May 25, 2011 http://www.debian.org/security/faq

Package : cyrus-imapd-2.2
Vulnerability : implementation error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1926
Debian Bug : 627081

It was discovered that the STARTTLS implementation of the Cyrus IMAP
server does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted IMAP,
LMTP, NNTP and POP3 sessions by sending a cleartext command that is
processed after TLS is in place.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.2.13-14+lenny4.

For the stable distribution (squeeze), this problem has been fixed in
version 2.2.13-19+squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.13p1-11 for cyrus-imapd-2.2 and in version 2.4.7-1
for cyrus-imapd-2.4.

We recommend that you upgrade your cyrus-imapd-2.2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6i386cyrus-imapd-2.2< 2.2.13-19+squeeze1cyrus-imapd-2.2_2.2.13-19+squeeze1_i386.deb
Debian5sparckolab-cyrus-common< 2.2.13-5+lenny3kolab-cyrus-common_2.2.13-5+lenny3_sparc.deb
Debian5alphacyrus-clients-2.2< 2.2.13-14+lenny4cyrus-clients-2.2_2.2.13-14+lenny4_alpha.deb
Debian5ia64cyrus-clients-2.2< 2.2.13-14+lenny4cyrus-clients-2.2_2.2.13-14+lenny4_ia64.deb
Debian5ia64kolab-cyrus-pop3d< 2.2.13-5+lenny3kolab-cyrus-pop3d_2.2.13-5+lenny3_ia64.deb
Debian6kfreebsd-amd64kolab-cyrus-pop3d< 2.2.13-9.1kolab-cyrus-pop3d_2.2.13-9.1_kfreebsd-amd64.deb
Debian5amd64cyrus-common-2.2< 2.2.13-14+lenny4cyrus-common-2.2_2.2.13-14+lenny4_amd64.deb
Debian5hppakolab-cyrus-clients< 2.2.13-5+lenny3kolab-cyrus-clients_2.2.13-5+lenny3_hppa.deb
Debian5i386cyrus-imapd-2.2< 2.2.13-14+lenny4cyrus-imapd-2.2_2.2.13-14+lenny4_i386.deb
Debian5powerpckolab-cyrus-clients< 2.2.13-5+lenny3kolab-cyrus-clients_2.2.13-5+lenny3_powerpc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	i386	cyrus-imapd-2.2	< 2.2.13-19+squeeze1	cyrus-imapd-2.2_2.2.13-19+squeeze1_i386.deb
Debian	5	sparc	kolab-cyrus-common	< 2.2.13-5+lenny3	kolab-cyrus-common_2.2.13-5+lenny3_sparc.deb
Debian	5	alpha	cyrus-clients-2.2	< 2.2.13-14+lenny4	cyrus-clients-2.2_2.2.13-14+lenny4_alpha.deb
Debian	5	ia64	cyrus-clients-2.2	< 2.2.13-14+lenny4	cyrus-clients-2.2_2.2.13-14+lenny4_ia64.deb
Debian	5	ia64	kolab-cyrus-pop3d	< 2.2.13-5+lenny3	kolab-cyrus-pop3d_2.2.13-5+lenny3_ia64.deb
Debian	6	kfreebsd-amd64	kolab-cyrus-pop3d	< 2.2.13-9.1	kolab-cyrus-pop3d_2.2.13-9.1_kfreebsd-amd64.deb
Debian	5	amd64	cyrus-common-2.2	< 2.2.13-14+lenny4	cyrus-common-2.2_2.2.13-14+lenny4_amd64.deb
Debian	5	hppa	kolab-cyrus-clients	< 2.2.13-5+lenny3	kolab-cyrus-clients_2.2.13-5+lenny3_hppa.deb
Debian	5	i386	cyrus-imapd-2.2	< 2.2.13-14+lenny4	cyrus-imapd-2.2_2.2.13-14+lenny4_i386.deb
Debian	5	powerpc	kolab-cyrus-clients	< 2.2.13-5+lenny3	kolab-cyrus-clients_2.2.13-5+lenny3_powerpc.deb