*** This bug is a security vulnerability *** Public security bug reported:
the command processing of the NNTP server implementation (nttpd) of cyrus-imapd is not properly implementing access restrictions for certain commands and is not checking for a complete, successful authentication. An attacker can use this flaw to bypass access restrictions for some commands and, e.g. exploit CVE-2011-3208 without proper authentication. http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3372 ** Affects: cyrus-imapd-2.2 (Ubuntu) Importance: Medium Status: Confirmed ** Affects: cyrus-imapd-2.4 (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: kolab-cyrus-imapd (Ubuntu) Importance: Undecided Status: New ** Affects: cyrus-imapd-2.2 (Ubuntu Lucid) Importance: Medium Status: Fix Released ** Affects: cyrus-imapd-2.4 (Ubuntu Lucid) Importance: Undecided Status: Fix Released ** Affects: kolab-cyrus-imapd (Ubuntu Lucid) Importance: Undecided Status: New ** Affects: cyrus-imapd-2.2 (Ubuntu Maverick) Importance: Medium Status: Fix Released ** Affects: cyrus-imapd-2.4 (Ubuntu Maverick) Importance: Undecided Status: Fix Released ** Affects: kolab-cyrus-imapd (Ubuntu Maverick) Importance: Undecided Status: New ** Affects: cyrus-imapd-2.2 (Ubuntu Natty) Importance: Medium Status: Confirmed ** Affects: cyrus-imapd-2.4 (Ubuntu Natty) Importance: Undecided Status: Fix Released ** Affects: kolab-cyrus-imapd (Ubuntu Natty) Importance: Undecided Status: New ** Affects: cyrus-imapd-2.2 (Ubuntu Oneiric) Importance: Medium Status: Confirmed ** Affects: cyrus-imapd-2.4 (Ubuntu Oneiric) Importance: Undecided Status: Confirmed ** Affects: kolab-cyrus-imapd (Ubuntu Oneiric) Importance: Undecided Status: New ** Affects: cyrus-imapd-2.2 (Ubuntu Precise) Importance: Medium Status: Confirmed ** Affects: cyrus-imapd-2.4 (Ubuntu Precise) Importance: Undecided Status: Confirmed ** Affects: kolab-cyrus-imapd (Ubuntu Precise) Importance: Undecided Status: New ** Affects: cyrus-imapd-2.2 (Ubuntu Hardy) Importance: Medium Status: Confirmed ** Affects: cyrus-imapd-2.4 (Ubuntu Hardy) Importance: Undecided Status: Fix Released ** Affects: kolab-cyrus-imapd (Ubuntu Hardy) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-3372 ** Also affects: cyrus-imapd-2.2 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: cyrus-imapd-2.2 (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: cyrus-imapd-2.2 (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: cyrus-imapd-2.2 (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: cyrus-imapd-2.2 (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: cyrus-imapd-2.2 (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: cyrus-imapd-2.2 (Ubuntu Lucid) Status: New => Fix Released ** Changed in: cyrus-imapd-2.2 (Ubuntu Maverick) Status: New => Fix Released ** Changed in: cyrus-imapd-2.2 (Ubuntu Hardy) Status: New => Confirmed ** Changed in: cyrus-imapd-2.2 (Ubuntu Natty) Status: New => Confirmed ** Changed in: cyrus-imapd-2.2 (Ubuntu Oneiric) Status: New => Confirmed ** Changed in: cyrus-imapd-2.2 (Ubuntu Precise) Status: New => Confirmed ** Changed in: cyrus-imapd-2.2 (Ubuntu Hardy) Importance: Undecided => Medium ** Changed in: cyrus-imapd-2.2 (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: cyrus-imapd-2.2 (Ubuntu Maverick) Importance: Undecided => Medium ** Changed in: cyrus-imapd-2.2 (Ubuntu Natty) Importance: Undecided => Medium ** Changed in: cyrus-imapd-2.2 (Ubuntu Oneiric) Importance: Undecided => Medium ** Changed in: cyrus-imapd-2.2 (Ubuntu Precise) Importance: Undecided => Medium ** Also affects: cyrus-imapd-2.4 (Ubuntu) Importance: Undecided Status: New ** Changed in: cyrus-imapd-2.4 (Ubuntu Hardy) Status: New => Fix Released ** Changed in: cyrus-imapd-2.4 (Ubuntu Lucid) Status: New => Fix Released ** Changed in: cyrus-imapd-2.4 (Ubuntu Maverick) Status: New => Fix Released ** Changed in: cyrus-imapd-2.4 (Ubuntu Natty) Status: New => Fix Released ** Changed in: cyrus-imapd-2.4 (Ubuntu Oneiric) Status: New => Confirmed ** Changed in: cyrus-imapd-2.4 (Ubuntu Precise) Status: New => Confirmed ** Also affects: kolab-cyrus-imapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/880909 Title: bypass access restrictions for some commands To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-imapd-2.2/+bug/880909/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs