Fwd: pre-login buffer overflow in Cyrus IMAP server

Simon Josefsson jas at extundo.com
Thu Dec 5 19:27:15 EST 2002


Rob Siemborski <rjs3 at andrew.cmu.edu> writes:

> On Tue, 3 Dec 2002, Nels Lindquist wrote:
>
>> On 3 Dec 2002 at 9:57, Steve Wright wrote:
>>
>> > The message below is forwarded from bugtraq.
>> > I've not seen any discussion of this, is an official fix available ?
>> > The "semi-exploit" shown does indeed segfault imapd processes on my Debian
>> > (sid) boxes.
>>
>> I'd imagine there should be patches for 1.6.24 and 2.0.16, as well as
>> 2.1.10.
>
> There are now fixes in CVS for both the pre-login vulnerability and the
> sieve vulnerability for 2.0 (cyrus-2-0-tail) and 2.1 (HEAD).

Any comment on why it took over a month to react to this reported
vulnerability?

A comment explaining why it took so long and what happened in the
meantime would be useful in extrapolating how future vulneribilities
will be handled.  If this has already been discussed somewhere, I am
sorry for duplicating the discussion and would appreciate a pointer.





More information about the Info-cyrus mailing list