<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200411-34"> <title>Cyrus IMAP Server: Multiple remote vulnerabilities</title> <synopsis> The Cyrus IMAP Server contains multiple vulnerabilities which could lead to remote execution of arbitrary code. </synopsis> <product type="ebuild">cyrus-imapd</product> <announced>2004-11-25</announced> <revised count="01">2004-11-25</revised> <bug>72194</bug> <access>remote</access> <affected> <package name="net-mail/cyrus-imapd" auto="yes" arch="*"> <unaffected range="ge">2.2.10</unaffected> <vulnerable range="lt">2.2.10</vulnerable> </package> </affected> <background> <p> The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server. </p> </background> <description> <p> Multiple vulnerabilities have been discovered in the argument parsers of the 'partial' and 'fetch' commands of the Cyrus IMAP Server (CAN-2004-1012, CAN-2004-1013). There are also buffer overflows in the 'imap magic plus' code that are vulnerable to exploitation as well (CAN-2004-1011, CAN-2004-1015). </p> </description> <impact type="high"> <p> An attacker can exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All Cyrus-IMAP Server users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.2.10"</code> </resolution> <references> <uri link="https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011">CAN-2004-1011</uri> <uri link="https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012">CAN-2004-1012</uri> <uri link="https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013">CAN-2004-1013</uri> <uri link="https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015">CAN-2004-1015</uri> <uri link="http://security.e-matters.de/advisories/152004.html">e-matters Advisory</uri> <uri link="http://asg.web.cmu.edu/cyrus/download/imapd/changes.html">Cyrus IMAP Server ChangeLog</uri> </references> <metadata tag="requester" timestamp="2004-11-23T18:38:38Z"> koon </metadata> <metadata tag="submitter" timestamp="2004-11-23T22:08:00Z"> lewk </metadata> <metadata tag="bugReady" timestamp="2004-11-24T17:22:57Z"> lewk </metadata> </glsa>