Fedora 15 : cyrus-imapd-2.4.12-1.fc15 (2011-13860)

high Nessus Plugin ID 56486

Synopsis

The remote Fedora host is missing a security update.

Description

- security fix :

- fixes incomplete authentication checks in nntpd (Secunia SA46093)

- other fixed bugs :

- delayed delete can fail because of invalid names

- cyradm cannot wildcard delete ACLs from a mailbox

- Wrong ENABLE result (doubled names)

- mbpath output changed from 2.3 to 2.4 for remote mailboxes

- xfer fails on unlimited quota (-1)

CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()

Bugs Fixed :

3495 P1 enhancement 2.4.10 Cyrus IMAP Improved duplicate suppression 3498 P1 bug 2.4.10 Cyrus IMAP quota command deletes users quota files 2772 P2 bug 2.4.x (next) Cyrus IMAP cmd_thread cores with bogus ids in references header 3300 P3 bug 2.4.2 Cyrus IMAP SOL_TCP is not defined on NetBSD 3439 P3 bug 2.3.16 Cyrus IMAP formatting issue on logging (or memory corruption ?) 3454 P3 bug 2.4.8 Cyrus IMAP ID with unquoted id_param_list keys not accepted 3463 P3 bug 2.4.x (next) Cyrus IMAP Certain mails will crash imapd if using server side threading 3489 P3 bug 2.4.10 Cyrus IMAP 2.4.10 and quota problem 3491 P3 enhancement 2.4.10 Cyrus IMAP UNAUTHENTICATE and NOOP in timsieved 3492 P3 bug 2.4.10 Cyrus IMAP Add response codes to timsieved 3497 P3 bug 2.4.10 Cyrus IMAP In master/master.c:add_service the variable 'cmd' is set to NULL before syslogging 3503 P3 bug 2.4.10 Cyrus IMAP DragonFly BSD also require PIC objects for perl 3505 P3 bug 2.4.x (next) Cyrus IMAP sync_reset is broken 3506 P3 bug 2.4.x (next) Cyrus IMAP dlist.c uses synchronizing IMAP LITERALS without backchannel. 3507 P3 bug 2.4.x (next) Cyrus IMAP Replication reconciliation fails in default/immediate expunge mode 3526 P3 bug 2.4.10 Cyrus IMAP AFS ptloader reinitialization uses local cell instead of afspts_mycell config option 3532 P3 enhancement 2.5.x (next) Cyrus IMAP Fix file descriptor cleanup 3279 P5 bug 2.4.2 Cyrus IMAP sync_client crashes with empty mech_list before TLS starts 3451 P5 enhancement 2.4.8 Cyrus IMAP config2header assume CC has no spaces

- rebuild to match db library update

- do not conflict with db4-utils

- rebuild to match db library update CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()

Bugs Fixed :

3495 P1 enhancement 2.4.10 Cyrus IMAP Improved duplicate suppression 3498 P1 bug 2.4.10 Cyrus IMAP quota command deletes users quota files 2772 P2 bug 2.4.x (next) Cyrus IMAP cmd_thread cores with bogus ids in references header 3300 P3 bug 2.4.2 Cyrus IMAP SOL_TCP is not defined on NetBSD 3439 P3 bug 2.3.16 Cyrus IMAP formatting issue on logging (or memory corruption ?) 3454 P3 bug 2.4.8 Cyrus IMAP ID with unquoted id_param_list keys not accepted 3463 P3 bug 2.4.x (next) Cyrus IMAP Certain mails will crash imapd if using server side threading 3489 P3 bug 2.4.10 Cyrus IMAP 2.4.10 and quota problem 3491 P3 enhancement 2.4.10 Cyrus IMAP UNAUTHENTICATE and NOOP in timsieved 3492 P3 bug 2.4.10 Cyrus IMAP Add response codes to timsieved 3497 P3 bug 2.4.10 Cyrus IMAP In master/master.c:add_service the variable 'cmd' is set to NULL before syslogging 3503 P3 bug 2.4.10 Cyrus IMAP DragonFly BSD also require PIC objects for perl 3505 P3 bug 2.4.x (next) Cyrus IMAP sync_reset is broken 3506 P3 bug 2.4.x (next) Cyrus IMAP dlist.c uses synchronizing IMAP LITERALS without backchannel. 3507 P3 bug 2.4.x (next) Cyrus IMAP Replication reconciliation fails in default/immediate expunge mode 3526 P3 bug 2.4.10 Cyrus IMAP AFS ptloader reinitialization uses local cell instead of afspts_mycell config option 3532 P3 enhancement 2.5.x (next) Cyrus IMAP Fix file descriptor cleanup 3279 P5 bug 2.4.2 Cyrus IMAP sync_client crashes with empty mech_list before TLS starts 3451 P5 enhancement 2.4.8 Cyrus IMAP config2header assume CC has no spaces

- rebuild to match db library update

- do not conflict with db4-utils

- rebuild to match db library update

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected cyrus-imapd package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=729767

https://bugzilla.redhat.com/show_bug.cgi?id=736838

http://www.nessus.org/u?51e80815

Plugin Details

Severity: High

ID: 56486

File Name: fedora_2011-13860.nasl

Version: 1.12

Type: local

Agent: unix

Published: 10/14/2011

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:15, p-cpe:/a:fedoraproject:fedora:cyrus-imapd

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/5/2011

Vulnerability Publication Date: 9/14/2011

Reference Information

CVE: CVE-2011-3208

BID: 49534

FEDORA: 2011-13860