Package: courier-imap Version: 4.10.0-20120615-1 Courier IMAP contains a flaw in its STLS implementation that could allow a remote unauthenticated attacker to inject commands during the plain text protocol phase that will be executed during the ciphertext protocol phase.
E.g. a1 STARTTLS\r\na2 CAPABILITY\r\n Sent in a single packet to port 143 makes courier-imap respond with: a1 OK Begin SSL/TLS negotiation now. a2 OK CAPABILITY completed I suggest sanitising the data input of the STARTTLS negotiation. I am using Debian GNU/Linux 7.11, kernel 3.2.0-4-amd64.
