-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 24 20091002 ================================ Package: Kolab Server, Cyrus IMAP Server Vulnerability: various Kolab Specific: no Dependent Packages: none Summary ~~~~~~~ The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server. Affected Versions ~~~~~~~~~~~~~~~~~ This affects versions of Cyrus IMAP Server up to version 2.3.14 Kolab Server 2.2.2 and previous releases are affected. Fix ~~~ Upgrade Cyrus IMAP Server to imapd-2.3.13-20081020_kolab3, which includes a patch to fix the problem. OpenPKG packages for Kolab Server 2.2.2 are available from http://files.kolab.org/server/security-updates/20091002/ or from the mirrors listed on http://kolab.org/mirrors.html A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Lenny) is available as imapd-2.3.13-20081020_kolab3.ix86-debian5.0-kolab.rpm A binary RPM for Kolab Server 2.2.2 (ix86 Debian GNU/Linux Etch) is available as imapd-2.3.13-20081020_kolab3.ix86-debian4.0-kolab.rpm Above source and binary packages have been verified to work with Kolab Server 2.2.0, so you can upgrade the imapd package without doing a full upgrade. All other server versions: Please upgrade to Kolab Server 2.2.x and install the updated imapd package. You can check the integrity of the downloaded files with: $ gpg --keyserver keys.gnupg.net --recv-key 5816791A or import the key from https://www.intevation.de/~thomas/gpg_pub_key.asc $ gpg --verify SHA1SUMS.sig $ sha1sum -c SHA1SUMS The source package can be compiled and installed on your Kolab Server with: # su - kolab $ openpkg rpm --rebuild --define 'with_fsl yes' --define 'with_group yes' \ --define 'with_group_igncase yes' --define 'with_atvdom yes' \ --define 'with_ldap yes' --define 'with_annotate yes' \ --define 'with_morelogging yes' --define 'with_kolab yes' \ --define 'with_kolab_nocaps yes' \ ...path/to.../imapd-2.3.13-20081020_kolab3.src.rpm $ openpkg rpm \ -Uvh /kolab/RPM/PKG/imapd-2.3.13-20081020_kolab3.--kolab.rpm To install a binary package, just skip the rebuild step: # su - kolab $ openpkg rpm \ -Uvh ...path/to.../imapd-2.3.13-20081020_kolab3.--kolab.rpm Alternatively you can copy or symlink all source and binary rpms and install-kolab.sh of your current installation and the source rpm of this security advisory into a new directory and follow the instructions below "Generating your own 00INDEX.rdf for installations or upgrades" in 1st.README to generate a new installer which can be used to compile and install the new package without having to specify the "--define" options. Details ~~~~~~~ http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html Cyrus IMAPd 2.2.13p1 & 2.3.15 Released https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.67&r2=1.68 Upstream patch for src/sieve/script.c by Bron Gondwana http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2632 CVE-2009-2632 Timeline ~~~~~~~~ 20090909 Cyrus IMAPd 2.2.13p1 & 2.3.15 released. 20090922 Fix available via Kolab CVS, started testing. 20091002 Kolab Server security advisory published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkrF2pYACgkQW7P1GVgWeRr/9ACfTitATIM40tEJ+z66Awe5HrXX upMAn2opjdaimN5H+YN/H/NnQbaUAntm =cZj0 -----END PGP SIGNATURE-----