-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:100 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cyrus-imapd Date : May 24, 2011 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been identified and fixed in cyrus-imapd: The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2011-1926). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1926 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 498d5b68bb40c8f647ee02665beb3646 2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 52718b5cd0166f62fa15bf6f4ec65d56 2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 34e7b7a7cd5f7cad2dc6e068164b0fdc 2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 33e98b4e6bcf6ce9dd16e44b0ca75701 2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 9a3803b65facdf6f35b6d9056ce79a47 2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 37252ed6cfb44699178c1beef4db9e9b 2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.i586.rpm 6f396249a59b1f73d015102ce85b70ed 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 9c80de09df788a63bcaff8dbac7ae51e 2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 83839c1d5e23260b3b9568f67d9263bb 2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 7eba11d541e46f84274455f4e2e73783 2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 6dd7cba369978b229826fbadb52c6281 2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 55d2a884babf37537c0893410be5999e 2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm c517ce121ead39692cbc5d3e6d0bd035 2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm 6f396249a59b1f73d015102ce85b70ed 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm Mandriva Linux 2010.1: a1424b6d2116c8d04ddf599d47d0066c 2010.1/i586/cyrus-imapd-2.3.15-10.2mdv2010.2.i586.rpm 979e2a7916c2169592188d798fc9afc3 2010.1/i586/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.i586.rpm d8220c9ae8b12aba911d1ca3c1d8d9bc 2010.1/i586/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.i586.rpm da26c65b19ea37a05423367287914a1d 2010.1/i586/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.i586.rpm bd15ad1797b25046fa1f5fc6223041a3 2010.1/i586/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.i586.rpm 202641315ef7e281b0ac9d49b41dc5b2 2010.1/i586/perl-Cyrus-2.3.15-10.2mdv2010.2.i586.rpm 907ddfe3b1ca22885fd437edc7f38a54 2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 98084c7318761c7e716c9704b41599df 2010.1/x86_64/cyrus-imapd-2.3.15-10.2mdv2010.2.x86_64.rpm fe1845c0fb1f518b7b4589e59eb522dd 2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.x86_64.rpm ff61a5b78885d513be547c5d3abe5e5b 2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.x86_64.rpm 8b77e0f150e904d529c9742ee6531619 2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.x86_64.rpm 2c51ef5a91da31245b8b12dcbdd1af84 2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.x86_64.rpm b26c3480fa743eef4a9241b1be75cf91 2010.1/x86_64/perl-Cyrus-2.3.15-10.2mdv2010.2.x86_64.rpm 907ddfe3b1ca22885fd437edc7f38a54 2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm Corporate 4.0: 45c23a293396522a89503b10a8f5db1f corporate/4.0/i586/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm 91eb948568050fabe11c6eb55b90a26e corporate/4.0/i586/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm 5a8b99fe60f67a158a1610cfb85fdc79 corporate/4.0/i586/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm 87eeee87f8777f16f210c8364f107ba0 corporate/4.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm 0b802cff2c75731783dde8bafde043ee corporate/4.0/i586/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm d27c5d8a57ea4adcf29c252c74a95720 corporate/4.0/i586/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm ade0c37e3e36d2504f9700cd94f2dc74 corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 1f5cae7f38de7492414d31226ba2676e corporate/4.0/x86_64/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm 21189c14023ad6edcf7433a0932caf59 corporate/4.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm c862cf5ed064b9bb28523d87f1077920 corporate/4.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm d501b94549efb93571eef10f352fd795 corporate/4.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm 9aa31a3991d96607132fec6250501fa4 corporate/4.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm b29f43dbabf91ad0373da71e5c2def91 corporate/4.0/x86_64/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm ade0c37e3e36d2504f9700cd94f2dc74 corporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 44ccd362ff4536d279c6bc766fdde321 mes5/i586/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm dad6eac600091c4da1d8faebfa1e82b8 mes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm 3fece92c479e94610d82c590530af616 mes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm c3d98ddbedac750bf27eec165c5b5902 mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm 3275d942a0be02ca5c5810e181dcd518 mes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm 9b75bc3f9437bd461e8ad8e057be1f39 mes5/i586/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm 797d5d4a98b15d89a16b60b13a9782fc mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 64262442694df3a279c20ff7fbcc2588 mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm f638482001851e8356435b9cdca935d8 mes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm f8039806879ebd5dc67b3bf5640b82a5 mes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm 3f746817849822daf1271b5357d5fe84 mes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm ea74bb4cd9bb9734ffd16f30fe77fb0d mes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm 1a21b438502b53ce5121608a2e95450e mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm 797d5d4a98b15d89a16b60b13a9782fc mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFN23yjmqjQ0CJFipgRAofTAKCbzecv2sfr6Sed19e3ToSx9i6gtQCgg6/B 10VNAxDouhTji/NBIie0PVc= =6jGs -----END PGP SIGNATURE-----