Debian Bug report logs - #627081
STARTTLS plaintext command injection

version graph

Package: cyrus-imapd-2.2; Maintainer for cyrus-imapd-2.2 is Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>; Source for cyrus-imapd-2.2 is src:cyrus-imapd-2.4.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Tue, 17 May 2011 15:03:05 UTC

Severity: grave

Tags: lenny, security, sid, squeeze

Found in versions cyrus-imapd-2.2/2.2.13-14+lenny3, cyrus-imapd-2.2/2.2.13-19

Fixed in versions 2.2.13-19+squeeze1, cyrus-imapd-2.2/2.2.13-14+lenny4, cyrus-imapd-2.2/2.2.13p1-11

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>:
Bug#627081; Package cyrus-imapd-2.2. (Tue, 17 May 2011 15:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>. (Tue, 17 May 2011 15:03:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: STARTTLS plaintext command injection
Date: Tue, 17 May 2011 16:59:09 +0200
Package: cyrus-imapd-2.2
Severity: grave
Tags: security

Hi,
I was found out that Cyrus is also vulnerable to the STARTTLS plaintext
command injection vulnerability originally discovered in Postfix:

http://www.kb.cert.org/vuls/id/555316
http://www.postfix.org/CVE-2011-0411.html

Cyrus bug:
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424 

Patch:
http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>:
Bug#627081; Package cyrus-imapd-2.2. (Wed, 18 May 2011 07:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>. (Wed, 18 May 2011 07:33:03 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 627081@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#627081: STARTTLS plaintext command injection
Date: Wed, 18 May 2011 09:30:33 +0200
Hi Moritz,

thanks for heads-up.

I am preparing the security updates for cyrus-imapd-2.2 right now.

Please note that for cyrus-imapd-2.4 this vulnerability was fixed in
upstream 2.4.7.

O.

On Tue, May 17, 2011 at 16:59, Moritz Muehlenhoff
<muehlenhoff@univention.de> wrote:
> Package: cyrus-imapd-2.2
> Severity: grave
> Tags: security
>
> Hi,
> I was found out that Cyrus is also vulnerable to the STARTTLS plaintext
> command injection vulnerability originally discovered in Postfix:
>
> http://www.kb.cert.org/vuls/id/555316
> http://www.postfix.org/CVE-2011-0411.html
>
> Cyrus bug:
> http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424
>
> Patch:
> http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162
>
> Cheers,
>        Moritz
>
>
>
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-imapd-debian-devel
>



-- 
Ondřej Surý <ondrej@sury.org>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>:
Bug#627081; Package cyrus-imapd-2.2. (Wed, 18 May 2011 07:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>. (Wed, 18 May 2011 07:33:07 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions cyrus-imapd-2.2/2.2.13p1-11. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Thu, 19 May 2011 07:48:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions cyrus-imapd-2.2/2.2.13-14+lenny3. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Thu, 19 May 2011 07:48:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions cyrus-imapd-2.2/2.2.13-19. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Thu, 19 May 2011 07:48:04 GMT) Full text and rfc822 format available.

Added tag(s) sid, squeeze, and lenny. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Thu, 19 May 2011 07:48:05 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions cyrus-imapd-2.2/2.2.13-14+lenny4. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Fri, 03 Jun 2011 15:45:05 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 2.2.13-19+squeeze1. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Fri, 03 Jun 2011 15:45:06 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 2.2.13p1-11, send any further explanations to Moritz Muehlenhoff <muehlenhoff@univention.de> Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Fri, 03 Jun 2011 15:45:08 GMT) Full text and rfc822 format available.

Bug 627081 cloned as bug 629350. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Sun, 05 Jun 2011 20:06:02 GMT) Full text and rfc822 format available.

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Fri, 10 Jun 2011 01:57:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Fri, 10 Jun 2011 01:57:06 GMT) Full text and rfc822 format available.

Message #36 received at 627081-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 627081-close@bugs.debian.org
Subject: Bug#627081: fixed in cyrus-imapd-2.2 2.2.13-19+squeeze1
Date: Fri, 10 Jun 2011 01:54:38 +0000
Source: cyrus-imapd-2.2
Source-Version: 2.2.13-19+squeeze1

We believe that the bug you reported is fixed in the latest version of
cyrus-imapd-2.2, which is due to be installed in the Debian FTP archive:

cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
  to main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
  to main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
  to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
  to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 627081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated cyrus-imapd-2.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 May 2011 10:15:26 +0200
Source: cyrus-imapd-2.2
Binary: cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 cyrus-pop3d-2.2 cyrus-admin-2.2 cyrus-murder-2.2 cyrus-nntpd-2.2 cyrus-clients-2.2 cyrus-dev-2.2 libcyrus-imap-perl22
Architecture: source all amd64
Version: 2.2.13-19+squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 cyrus-admin-2.2 - Cyrus mail system - administration tools
 cyrus-clients-2.2 - Cyrus mail system (test clients)
 cyrus-common-2.2 - Cyrus mail system - common files
 cyrus-dev-2.2 - Cyrus mail system (developer files)
 cyrus-doc-2.2 - Cyrus mail system - documentation files
 cyrus-imapd-2.2 - Cyrus mail system - IMAP support
 cyrus-murder-2.2 - Cyrus mail system (proxies and aggregator)
 cyrus-nntpd-2.2 - Cyrus mail system (NNTP support)
 cyrus-pop3d-2.2 - Cyrus mail system - POP3 support
 libcyrus-imap-perl22 - Interface to Cyrus imap client imclient library
Closes: 627078 627081
Changes: 
 cyrus-imapd-2.2 (2.2.13-19+squeeze1) stable-security; urgency=low
 .
   * Fix infinite loop in case of corrupted index files (Closes: #627078)
   * Add gbp.conf to easy future updates
   * Fix CVE-2011-1926: STARTTLS plaintext command injection
     vulnerability (VU#555316) (Closes: #627081)
Checksums-Sha1: 
 d33cdf822fbe88949000ac18f13e1403ec52ab76 1952 cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
 d36e826271cc2c7ed497a7053b73a2ddbc2e1f44 272651 cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
 3db78b61c8e46872e09ce0a5b55461e970b088fa 229340 cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
 8dc23c34f14b30e4f6b0b79131251192dc1d6ee6 83476 cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
 fe462bd6c07a01a0592955a94d7a4d898f7fbd47 5825038 cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
 56b3e0944020bfb1b00a48b95b6828413ccba6f2 960660 cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
 c32fba5465cc585d480ff5307447463bfccfbd1c 285904 cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
 8811cbb762408879aa51eb144b416563370a46a7 1159580 cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
 b172159c2df69461970f91bd6aaf9ab696e9c9c3 620712 cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
 53863bbba4f46533aa783aa0404d3b05486651f0 137394 cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
 a83fe0ad7b2227618f75d1752ad18c3a6aacade8 274342 cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
 880801ecd6c828dce5d69806b0206f7f1cc8cb97 191362 libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
Checksums-Sha256: 
 3c6c2d744044b0b9dd6f8b2b72ae3597d78ade8c545e1a0ea78d02d81254859d 1952 cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
 993bf73a8f7e431c81ceb4d02b58dc47fc0d00e8a463c1d595ccd48c6279b868 272651 cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
 7dbbe84fe25fadbf8e3d4759568d728a2c28b4874d93c6ba2cde1b78af54e1c0 229340 cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
 3e70283a40ed9331c5b903563c573fcdc4e3d05e398e80a41337e89b04696356 83476 cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
 5138508b66988cd140ae9e7cde314cc6e1c8964c18dc9f862fdf6461deeba60a 5825038 cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
 9f52b991c771523a51d225a1786702825a892f1d5c14c77db3d923c568a79d80 960660 cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
 12ca9d7a80ade816a04523b1f056146aa16da56e8fc72eefc1bd3c3b90c39274 285904 cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
 1ca40ce809ec0f33b11c7ff0d6796d99619b6f543e5983fdca4f71266baed344 1159580 cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
 da8c20e19ce0744c33c3a7a23b337b01e1506516756e691c8c63419e5d496580 620712 cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
 9bebfa903533fc65662a5ceff89e3f477cd36c394fce8b62de06cccb9c5afa70 137394 cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
 013d408a74bed09ed0104d6f9bb7aa99806a215210efde6f3d6173dc7aecff86 274342 cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
 ec1b04f6d715a341a70cb83a8fa5175bf7fb7b399c9d378f03f55d6b5ad55f22 191362 libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
Files: 
 956df49f3e4bb8b70b62352803931108 1952 mail extra cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
 6c7d14d1a2238f4387f0185b173d6031 272651 mail extra cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
 fe2c1f6c1b6b837b29627d701440399a 229340 doc extra cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
 b72bd7a6778e4996b447ae2369e6b801 83476 mail extra cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
 2d242ed052d3aac38be58070d3c9a598 5825038 mail extra cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
 cd1f2a5daa22c5fe43f0a917e9498762 960660 mail extra cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
 61dcf51e720acd06d92c8c4e99f56e89 285904 mail extra cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
 a992737f3deb10683d409de06d49391f 1159580 mail extra cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
 a8930f70ea90bd49f6b1753a3fd37157 620712 mail extra cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
 d75c62b1f17f9edf5b576e4dc3725218 137394 mail extra cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
 97d29466223c9d2943f9a0b8cc99f517 274342 devel extra cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
 6cbdb5b0f65a423809aae7dc1f2a5507 191362 perl extra libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3TkvUACgkQ9OZqfMIN8nMGGACgg0D+ZmZGAWGxz95hgS4BOpeJ
o9QAnRSQa4yVxK9Ni283o+ZTeqivsDtZ
=Ze5D
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 Jul 2011 07:38:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:42:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.