6247276 2001-03-19 17:17 -0300 /135 rader/ <secure@CONECTIVA.COM.BR> Sänt av: joel@lysator.liu.se Importerad: 2001-03-20 18:09 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: secure@CONECTIVA.COM.BR Mottagare: Bugtraq (import) <15995> Ärende: [CLA-2001:388] Conectiva Linux Security Announcement - imap ------------------------------------------------------------ From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200103192017.RAA00431@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : imap SUMMARY : Remote buffer overflow DATE : 2001-03-19 16:51:00 ID : CLA-2001:388 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0 - ------------------------------------------------------------------------- DESCRIPTION "imap" is a package which contains POP3 and IMAP mail servers. Several buffer overflow vulnerabilities have been found in this package by their authors and by independent groups (www.bufferoverflow.org has published an exploit for one of these vulnerabilities). These vulnerabilities can be exploited only after user authentication, which basically limits the scope of the vulnerability to a remote shell with that user's permissions. On systems where users already have a shell, this vulnerability will not provide anything new to that user (unless he/she has only local shell access). But, on systems where the email accounts do not provide shell access (tipically ISPs), this is a bigger problem. It is also important to note that packages from version 5.1 or higher of the CL distribution have been compiled with StackGuard, which makes it more difficult (but not impossible) to exploit buffer overflows of this type. SOLUTION The packages offered here include many security fixes from the latest beta version of imap at that time (snapshot 0102232125), and also fix the specific problem the published exploit attacks. It is recommended that all imap users update their packages, specially if their systems provide mail access without remote shell accounts. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/imap-doc-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/imap-2000c-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/imap-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/imap-devel-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/imap-devel-static-2000c-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/imap-doc-2000c-1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tmlx42jd0JmAcZARAlXnAKCYU+lMg6a2YJBMVrRQOqgKltyDcgCgwKf+ uhK02fb5TIKw09sznWtwfno= =LYFP -----END PGP SIGNATURE----- (6247276) / <secure@CONECTIVA.COM.BR>/----(Ombruten)