(RHSA-2011:0859) Moderate: cyrus-imapd security update

2011-06-0800:00:00

access.redhat.com

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

82.6%

JSON

The cyrus-imapd packages contain a high-performance mail server with IMAP,
POP3, NNTP, and Sieve support.

It was discovered that cyrus-imapd did not flush the received commands
buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3
sessions. A man-in-the-middle attacker could use this flaw to inject
protocol commands into a victim’s TLS session initialization messages. This
could lead to those commands being processed by cyrus-imapd, potentially
allowing the attacker to steal the victim’s mail or authentication
credentials. (CVE-2011-1926)

Users of cyrus-imapd are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After installing
the update, cyrus-imapd will be restarted automatically.

OSVersionArchitecturePackageVersionFilename
RedHat4s390cyrus-imapd-utils< 2.2.12-15.el4cyrus-imapd-utils-2.2.12-15.el4.s390.rpm
RedHat4x86_64cyrus-imapd< 2.2.12-15.el4cyrus-imapd-2.2.12-15.el4.x86_64.rpm
RedHat6i686cyrus-imapd-devel< 2.3.16-6.el6_1.2cyrus-imapd-devel-2.3.16-6.el6_1.2.i686.rpm
RedHat4s390xcyrus-imapd-utils< 2.2.12-15.el4cyrus-imapd-utils-2.2.12-15.el4.s390x.rpm
RedHat6ppccyrus-imapd-devel< 2.3.16-6.el6_1.2cyrus-imapd-devel-2.3.16-6.el6_1.2.ppc.rpm
RedHat5i386cyrus-imapd-devel< 2.3.7-7.el5_6.4cyrus-imapd-devel-2.3.7-7.el5_6.4.i386.rpm
RedHat4ia64cyrus-imapd-utils< 2.2.12-15.el4cyrus-imapd-utils-2.2.12-15.el4.ia64.rpm
RedHat5ia64cyrus-imapd-perl< 2.3.7-7.el5_6.4cyrus-imapd-perl-2.3.7-7.el5_6.4.ia64.rpm
RedHat6i686cyrus-imapd< 2.3.16-6.el6_1.2cyrus-imapd-2.3.16-6.el6_1.2.i686.rpm
RedHat4ia64cyrus-imapd-murder< 2.2.12-15.el4cyrus-imapd-murder-2.2.12-15.el4.ia64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	4	s390	cyrus-imapd-utils	< 2.2.12-15.el4	cyrus-imapd-utils-2.2.12-15.el4.s390.rpm
RedHat	4	x86_64	cyrus-imapd	< 2.2.12-15.el4	cyrus-imapd-2.2.12-15.el4.x86_64.rpm
RedHat	6	i686	cyrus-imapd-devel	< 2.3.16-6.el6_1.2	cyrus-imapd-devel-2.3.16-6.el6_1.2.i686.rpm
RedHat	4	s390x	cyrus-imapd-utils	< 2.2.12-15.el4	cyrus-imapd-utils-2.2.12-15.el4.s390x.rpm
RedHat	6	ppc	cyrus-imapd-devel	< 2.3.16-6.el6_1.2	cyrus-imapd-devel-2.3.16-6.el6_1.2.ppc.rpm
RedHat	5	i386	cyrus-imapd-devel	< 2.3.7-7.el5_6.4	cyrus-imapd-devel-2.3.7-7.el5_6.4.i386.rpm
RedHat	4	ia64	cyrus-imapd-utils	< 2.2.12-15.el4	cyrus-imapd-utils-2.2.12-15.el4.ia64.rpm
RedHat	5	ia64	cyrus-imapd-perl	< 2.3.7-7.el5_6.4	cyrus-imapd-perl-2.3.7-7.el5_6.4.ia64.rpm
RedHat	6	i686	cyrus-imapd	< 2.3.16-6.el6_1.2	cyrus-imapd-2.3.16-6.el6_1.2.i686.rpm
RedHat	4	ia64	cyrus-imapd-murder	< 2.2.12-15.el4	cyrus-imapd-murder-2.2.12-15.el4.ia64.rpm