OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 07-Mar-2005 11:59:22
Branch: HEAD Handle: 2005030710592200
Modified files:
openpkg-web/security OpenPKG-SA-2005.005-imapd.txt
Log:
completely edit OpenPKG-SA-2005.005-imapd, please review text
Summary:
Revision Changes Path
1.2 +35 -37 openpkg-web/security/OpenPKG-SA-2005.005-imapd.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.005-imapd.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.005-imapd.txt
--- openpkg-web/security/OpenPKG-SA-2005.005-imapd.txt 4 Mar 2005
16:12:01 -0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2005.005-imapd.txt 7 Mar 2005
10:59:22 -0000 1.2
@@ -3,70 +3,68 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2004.001 01-Jan-2004
+OpenPKG-SA-2005.005 07-Mar-2005
________________________________________________________________________
Package: imapd
-Vulnerability: crazy foo vulnerability
+Vulnerability: arbitrary code execution
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
-OpenPKG CURRENT <= foo-1.2.4-20040123 >= foo-1.2.4-20049124
-OpenPKG 2.2 <= foo-1.2.3-2.2.0 >= foo-1.2.3-2.2.1
-OpenPKG 2.1 <= foo-1.2.2-2.1.0 >= foo-1.2.2-2.1.1
+OpenPKG CURRENT <= imapd-2.2.10-20050129 >= imapd-2.2.11-20050214
+OpenPKG 2.2 <= imapd-2.2.8-2.2.1 >= imapd-2.2.8-2.2.2
Affected Releases: Dependent Packages:
-OpenPKG CURRENT bar quux
-OpenPKG 2.2 bar quux
-OpenPKG 2.1 bar
+OpenPKG CURRENT kolab, squirrelmail
+OpenPKG 2.2 kolab
Description:
- According to a ... security advisory based on hints from ...
- [0], a crazy vulnerability exists in the
- ... [1] ....
- The Common Vulnerabilities and Exposures (CVE) project
- assigned the id CAN-... [2] to the problem.
+ Sean Larsson discovered several vulnerabilities in the Cyrus IMAP
+ Server [0] that could allow a remote attacker to execute machine
+ code in the context of the server process.
+
+ The Cyrus Electronic Messaging Project identified the affected
+ server logic and released a security advisory [1]. Essentially,
+ the application is affected by multiple one byte buffer overflows
+ affecting the IMAP annotate extension and cached header handling
+ routines. Additionally, stack based overflows affecting the fetchnews,
+ backend, and imapd logic exist as well.
Please check whether you are affected by running "<prefix>/bin/openpkg
- rpm -q foo". If you have the "foo" package installed and its version
+ rpm -q imapd". If you have the "imapd" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
- (see Solution) and its dependent packages (see above), if any, too
- [3][4].
+ (see Solution) and its dependent packages (see above) as well [2][3].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
- location, verify its integrity [9], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the
- binary RPM [4]. For the most recent release OpenPKG 2.2, perform the
- following operations to permanently fix the security problem (for
- other releases adjust accordingly).
+ [4], fetch it from the OpenPKG FTP service [5] or a mirror
+ location, verify its integrity [6], build a corresponding binary RPM
+ from it [2] and update your OpenPKG installation by applying the
+ binary RPM [3]. For the most recent release OpenPKG 2.2, perform the
+ following operations to permanently fix the security problem.
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/2.2/UPD
- ftp> get foo-1.2.3-2.2.1.src.rpm
+ ftp> get imapd-2.2.8-2.2.2.src.rpm
ftp> bye
- $ <prefix>/bin/openpkg rpm -v --checksig foo-1.2.3-2.2.1.src.rpm
- $ <prefix>/bin/openpkg rpm --rebuild foo-1.2.3-2.2.1.src.rpm
+ $ <prefix>/bin/openpkg rpm -v --checksig imapd-2.2.8-2.2.2.src.rpm
+ $ <prefix>/bin/openpkg rpm --rebuild imapd-2.2.8-2.2.2.src.rpm
$ su -
- # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/foo-1.2.3-2.2.1.*.rpm
+ # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/imapd-2.2.8-2.2.2.*.rpm
Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too [3][4].
+ all dependent packages (see above) as well [2][3].
________________________________________________________________________
References:
- [0] http://www.example.com/bugfinder.html
- [1] http://www.foo.org/
- [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-...
- [3] http://www.openpkg.org/tutorial.html#regular-source
- [4] http://www.openpkg.org/tutorial.html#regular-binary
- [5] ftp://ftp.openpkg.org/release/2.2/UPD/foo-1.2.3-2.2.1.src.rpm
- [6] ftp://ftp.openpkg.org/release/2.1/UPD/foo-1.2.2-2.1.1.src.rpm
- [7] ftp://ftp.openpkg.org/release/2.2/UPD/
- [8] ftp://ftp.openpkg.org/release/2.1/UPD/
- [9] http://www.openpkg.org/security.html#signature
+ [0] http://asg.web.cmu.edu/cyrus/imapd/
+ [1]
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33723
+ [2] http://www.openpkg.org/tutorial.html#regular-source
+ [3] http://www.openpkg.org/tutorial.html#regular-binary
+ [4] ftp://ftp.openpkg.org/release/2.2/UPD/imapd-2.2.8-2.2.2.src.rpm
+ [5] ftp://ftp.openpkg.org/release/2.2/UPD/
+ [6] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
