Package: uw-imapd Severity: grave Justification: user security hole The following email appearead on the c-client mailing list today. Thus I suppose the currenlty shipping libc-client is vulnerable too:
>From [EMAIL PROTECTED] Fri Jan 28 08:33:16 2005 Date: Thu, 27 Jan 2005 14:23:14 -0800 (Pacific Standard Time) From: Mark Crispin <[EMAIL PROTECTED]> To: c-client Interest List <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: vulnerability and fix in UW imapd Problem: Versions of UW imapd released prior to January 4, 2005 fail to properly authenticate users when using CRAM-MD5 SASL authentication. Details: The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. Impact limitation: This vulnerability ONLY affects sites that have explicitly enabled CRAM-MD5 style authentication by creating an /etc/cram-md5.pwd file. CRAM-MD5 style authentication is NOT enabled in the default configuration of UW imapd. Consequently, sites which do not use CRAM-MD5 style authentication (the majority of UW imapd sites) are NOT vulnerable. An IMAP server which does not advertise CRAM-MD5 style authentication is NOT vulnerable. Workaround: If the site uses CRAM-MD5 style authentication, delete or rename the /etc/cram-md5.pwd file to some other name. Note that doing so will revert all passwords to those in the UNIX password system. Solution: This problem is fixed in the January 4, 2005 release version of imap-2004b and in all subsequent versions (the current release version is imap-2004c1). This problem is also fixed in the UW imapd version bundled with Pine version 4.62. The current release version of UW imapd is available at: ftp://ftp.cac.washington.edu/mail/imap.tar.Z The current release version of Pine is available at: http://www.washington.edu/pine/getpine ftp://ftp.cac.washington.edu/pine/ For more details about this issue, please refer to: http://www.kb.cert.org/vuls/id/702777 -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. -- ------------------------------------------------------------------ For information about this mailing list, and its archives, see: http://www.washington.edu/imap/c-client-list.html ------------------------------------------------------------------ -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.22 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages uw-imapd depends on: ii debconf 1.4.30.11 Debian configuration management sy ii libc-client2002edebian 7:2002edebian1-4 UW c-client library for mail proto ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libcomerr2 1.35-6 The Common Error Description libra ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-2 SSL shared libraries ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]