[SECURITY] [DSA 2258-1] kolab-cyrus-imapd security update

2011-06-1116:51:16

lists.debian.org

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.1%

JSON

Debian Security Advisory DSA-2257-1 [email protected]
http://www.debian.org/security/ Nico Golde
June 11, 2011 http://www.debian.org/security/faq

Package : kolab-cyrus-imapd
Vulnerability : implementation error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1926
Debian Bug : 629350

It was discovered that the STARTTLS implementation of the
Kolab Cyrus IMAP server does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands into encrypted
IMAP, LMTP, NNTP and POP3 sessions by sending a cleartext command that is
processed after TLS is in place.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.2.13-5+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 2.2.13-9.1.

For the testing distribution (wheezy), this problem has been fixed in
version 2.2.13p1-0.1.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.13p1-0.1.

We recommend that you upgrade your kolab-cyrus-imapd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6mipselcyrus-clients-2.2< 2.2.13-19+squeeze1cyrus-clients-2.2_2.2.13-19+squeeze1_mipsel.deb
Debian6kfreebsd-amd64cyrus-pop3d-2.2< 2.2.13-19+squeeze1cyrus-pop3d-2.2_2.2.13-19+squeeze1_kfreebsd-amd64.deb
Debian6armelcyrus-imapd-2.2< 2.2.13-19+squeeze1cyrus-imapd-2.2_2.2.13-19+squeeze1_armel.deb
Debian6mipskolab-cyrus-imapd< 2.2.13-9.1kolab-cyrus-imapd_2.2.13-9.1_mips.deb
Debian5s390kolab-cyrus-clients< 2.2.13-5+lenny3kolab-cyrus-clients_2.2.13-5+lenny3_s390.deb
Debian5alphacyrus-imapd-2.2< 2.2.13-14+lenny4cyrus-imapd-2.2_2.2.13-14+lenny4_alpha.deb
Debian6s390cyrus-common-2.2< 2.2.13-19+squeeze1cyrus-common-2.2_2.2.13-19+squeeze1_s390.deb
Debian6kfreebsd-i386libcyrus-imap-perl22< 2.2.13-19+squeeze1libcyrus-imap-perl22_2.2.13-19+squeeze1_kfreebsd-i386.deb
Debian6powerpccyrus-clients-2.2< 2.2.13-19+squeeze1cyrus-clients-2.2_2.2.13-19+squeeze1_powerpc.deb
Debian5amd64cyrus-nntpd-2.2< 2.2.13-14+lenny4cyrus-nntpd-2.2_2.2.13-14+lenny4_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	mipsel	cyrus-clients-2.2	< 2.2.13-19+squeeze1	cyrus-clients-2.2_2.2.13-19+squeeze1_mipsel.deb
Debian	6	kfreebsd-amd64	cyrus-pop3d-2.2	< 2.2.13-19+squeeze1	cyrus-pop3d-2.2_2.2.13-19+squeeze1_kfreebsd-amd64.deb
Debian	6	armel	cyrus-imapd-2.2	< 2.2.13-19+squeeze1	cyrus-imapd-2.2_2.2.13-19+squeeze1_armel.deb
Debian	6	mips	kolab-cyrus-imapd	< 2.2.13-9.1	kolab-cyrus-imapd_2.2.13-9.1_mips.deb
Debian	5	s390	kolab-cyrus-clients	< 2.2.13-5+lenny3	kolab-cyrus-clients_2.2.13-5+lenny3_s390.deb
Debian	5	alpha	cyrus-imapd-2.2	< 2.2.13-14+lenny4	cyrus-imapd-2.2_2.2.13-14+lenny4_alpha.deb
Debian	6	s390	cyrus-common-2.2	< 2.2.13-19+squeeze1	cyrus-common-2.2_2.2.13-19+squeeze1_s390.deb
Debian	6	kfreebsd-i386	libcyrus-imap-perl22	< 2.2.13-19+squeeze1	libcyrus-imap-perl22_2.2.13-19+squeeze1_kfreebsd-i386.deb
Debian	6	powerpc	cyrus-clients-2.2	< 2.2.13-19+squeeze1	cyrus-clients-2.2_2.2.13-19+squeeze1_powerpc.deb
Debian	5	amd64	cyrus-nntpd-2.2	< 2.2.13-14+lenny4	cyrus-nntpd-2.2_2.2.13-14+lenny4_amd64.deb