Fwd: pre-login buffer overflow in Cyrus IMAP server

[Rob Siemborski]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 3 Dec 2002, Nels Lindquist wrote:

> On 3 Dec 2002 at 9:57, Steve Wright wrote:
>
> > The message below is forwarded from bugtraq.
> > I've not seen any discussion of this, is an official fix available ?
> > The "semi-exploit" shown does indeed segfault imapd processes on my Debian
> > (sid) boxes.
>
> I'd imagine there should be patches for 1.6.24 and 2.0.16, as well as
> 2.1.10.

There are now fixes in CVS for both the pre-login vulnerability and the
sieve vulnerability for 2.0 (cyrus-2-0-tail) and 2.1 (HEAD).  I expect
them to be migrated over to the 2.2 branch (cyrus-imapd-2_2) later today
or early tomorrow.

We'll be officially deprecating 1.x as of now (removal from the web
and ftp sites except for the archives, etc).

I expect to have the new releases out within a day or so after I can give
them some further testing.

- -Rob

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBPe0Xd2es8cJc4y/MEQK90ACffRrUowweGZDrgbMEPc5i4aXQzDMAnj29
q0lHh9YugJd/bxfhuLy2vghs
=xzRJ
-----END PGP SIGNATURE-----