Bug#627081: marked as done (STARTTLS plaintext command injection)

Debian Bug Tracking System Thu, 09 Jun 2011 18:57:57 -0700

Your message dated Fri, 10 Jun 2011 01:54:38 +0000
with message-id <e1quqvm-0006yb...@franck.debian.org>
and subject line Bug#627081: fixed in cyrus-imapd-2.2 2.2.13-19+squeeze1
has caused the Debian Bug report #627081,
regarding STARTTLS plaintext command injection
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
627081: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627081
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cyrus-imapd-2.2
Severity: grave
Tags: security

Hi,
I was found out that Cyrus is also vulnerable to the STARTTLS plaintext
command injection vulnerability originally discovered in Postfix:

http://www.kb.cert.org/vuls/id/555316
http://www.postfix.org/CVE-2011-0411.html

Cyrus bug:
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424 

Patch:
http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---

Source: cyrus-imapd-2.2
Source-Version: 2.2.13-19+squeeze1

We believe that the bug you reported is fixed in the latest version of
cyrus-imapd-2.2, which is due to be installed in the Debian FTP archive:

cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
  to main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
  to main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
  to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
  to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
  to main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 627...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated cyrus-imapd-2.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 May 2011 10:15:26 +0200
Source: cyrus-imapd-2.2
Binary: cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 cyrus-pop3d-2.2 
cyrus-admin-2.2 cyrus-murder-2.2 cyrus-nntpd-2.2 cyrus-clients-2.2 
cyrus-dev-2.2 libcyrus-imap-perl22
Architecture: source all amd64
Version: 2.2.13-19+squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Debian Cyrus Team 
<pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description: 
 cyrus-admin-2.2 - Cyrus mail system - administration tools
 cyrus-clients-2.2 - Cyrus mail system (test clients)
 cyrus-common-2.2 - Cyrus mail system - common files
 cyrus-dev-2.2 - Cyrus mail system (developer files)
 cyrus-doc-2.2 - Cyrus mail system - documentation files
 cyrus-imapd-2.2 - Cyrus mail system - IMAP support
 cyrus-murder-2.2 - Cyrus mail system (proxies and aggregator)
 cyrus-nntpd-2.2 - Cyrus mail system (NNTP support)
 cyrus-pop3d-2.2 - Cyrus mail system - POP3 support
 libcyrus-imap-perl22 - Interface to Cyrus imap client imclient library
Closes: 627078 627081
Changes: 
 cyrus-imapd-2.2 (2.2.13-19+squeeze1) stable-security; urgency=low
 .
   * Fix infinite loop in case of corrupted index files (Closes: #627078)
   * Add gbp.conf to easy future updates
   * Fix CVE-2011-1926: STARTTLS plaintext command injection
     vulnerability (VU#555316) (Closes: #627081)
Checksums-Sha1: 
 d33cdf822fbe88949000ac18f13e1403ec52ab76 1952 
cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
 d36e826271cc2c7ed497a7053b73a2ddbc2e1f44 272651 
cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
 3db78b61c8e46872e09ce0a5b55461e970b088fa 229340 
cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
 8dc23c34f14b30e4f6b0b79131251192dc1d6ee6 83476 
cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
 fe462bd6c07a01a0592955a94d7a4d898f7fbd47 5825038 
cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
 56b3e0944020bfb1b00a48b95b6828413ccba6f2 960660 
cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
 c32fba5465cc585d480ff5307447463bfccfbd1c 285904 
cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
 8811cbb762408879aa51eb144b416563370a46a7 1159580 
cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
 b172159c2df69461970f91bd6aaf9ab696e9c9c3 620712 
cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
 53863bbba4f46533aa783aa0404d3b05486651f0 137394 
cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
 a83fe0ad7b2227618f75d1752ad18c3a6aacade8 274342 
cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
 880801ecd6c828dce5d69806b0206f7f1cc8cb97 191362 
libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
Checksums-Sha256: 
 3c6c2d744044b0b9dd6f8b2b72ae3597d78ade8c545e1a0ea78d02d81254859d 1952 
cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
 993bf73a8f7e431c81ceb4d02b58dc47fc0d00e8a463c1d595ccd48c6279b868 272651 
cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
 7dbbe84fe25fadbf8e3d4759568d728a2c28b4874d93c6ba2cde1b78af54e1c0 229340 
cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
 3e70283a40ed9331c5b903563c573fcdc4e3d05e398e80a41337e89b04696356 83476 
cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
 5138508b66988cd140ae9e7cde314cc6e1c8964c18dc9f862fdf6461deeba60a 5825038 
cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
 9f52b991c771523a51d225a1786702825a892f1d5c14c77db3d923c568a79d80 960660 
cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
 12ca9d7a80ade816a04523b1f056146aa16da56e8fc72eefc1bd3c3b90c39274 285904 
cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
 1ca40ce809ec0f33b11c7ff0d6796d99619b6f543e5983fdca4f71266baed344 1159580 
cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
 da8c20e19ce0744c33c3a7a23b337b01e1506516756e691c8c63419e5d496580 620712 
cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
 9bebfa903533fc65662a5ceff89e3f477cd36c394fce8b62de06cccb9c5afa70 137394 
cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
 013d408a74bed09ed0104d6f9bb7aa99806a215210efde6f3d6173dc7aecff86 274342 
cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
 ec1b04f6d715a341a70cb83a8fa5175bf7fb7b399c9d378f03f55d6b5ad55f22 191362 
libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb
Files: 
 956df49f3e4bb8b70b62352803931108 1952 mail extra 
cyrus-imapd-2.2_2.2.13-19+squeeze1.dsc
 6c7d14d1a2238f4387f0185b173d6031 272651 mail extra 
cyrus-imapd-2.2_2.2.13-19+squeeze1.diff.gz
 fe2c1f6c1b6b837b29627d701440399a 229340 doc extra 
cyrus-doc-2.2_2.2.13-19+squeeze1_all.deb
 b72bd7a6778e4996b447ae2369e6b801 83476 mail extra 
cyrus-admin-2.2_2.2.13-19+squeeze1_all.deb
 2d242ed052d3aac38be58070d3c9a598 5825038 mail extra 
cyrus-common-2.2_2.2.13-19+squeeze1_amd64.deb
 cd1f2a5daa22c5fe43f0a917e9498762 960660 mail extra 
cyrus-imapd-2.2_2.2.13-19+squeeze1_amd64.deb
 61dcf51e720acd06d92c8c4e99f56e89 285904 mail extra 
cyrus-pop3d-2.2_2.2.13-19+squeeze1_amd64.deb
 a992737f3deb10683d409de06d49391f 1159580 mail extra 
cyrus-murder-2.2_2.2.13-19+squeeze1_amd64.deb
 a8930f70ea90bd49f6b1753a3fd37157 620712 mail extra 
cyrus-nntpd-2.2_2.2.13-19+squeeze1_amd64.deb
 d75c62b1f17f9edf5b576e4dc3725218 137394 mail extra 
cyrus-clients-2.2_2.2.13-19+squeeze1_amd64.deb
 97d29466223c9d2943f9a0b8cc99f517 274342 devel extra 
cyrus-dev-2.2_2.2.13-19+squeeze1_amd64.deb
 6cbdb5b0f65a423809aae7dc1f2a5507 191362 perl extra 
libcyrus-imap-perl22_2.2.13-19+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3TkvUACgkQ9OZqfMIN8nMGGACgg0D+ZmZGAWGxz95hgS4BOpeJ
o9QAnRSQa4yVxK9Ni283o+ZTeqivsDtZ
=Ze5D
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-Cyrus-imapd-Debian-devel mailing list
Pkg-Cyrus-imapd-Debian-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel

Bug#627081: marked as done (STARTTLS plaintext command injection)

Reply via email to