Cyrus IMAP Server: Multiple remote vulnerabilities — GLSA 200411-34

The Cyrus IMAP Server contains multiple vulnerabilities which could lead to remote execution of arbitrary code.

Affected Packages

net-mail/cyrus-imapd on all architectures
Affected versions < 2.2.10
Unaffected versions >= 2.2.10

Background

The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server.

Description

Multiple vulnerabilities have been discovered in the argument parsers of the 'partial' and 'fetch' commands of the Cyrus IMAP Server (CAN-2004-1012, CAN-2004-1013). There are also buffer overflows in the 'imap magic plus' code that are vulnerable to exploitation as well (CAN-2004-1011, CAN-2004-1015).

Impact

An attacker can exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server.

Workaround

There is no known workaround at this time.

Resolution

All Cyrus-IMAP Server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.2.10"

References

Release Date
November 25, 2004

Latest Revision
November 25, 2004: 01

Severity
high

Exploitable
remote

Bugzilla entries